{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xr"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.media.getVideoList."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /Authorization."}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /Authorization."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 10.3% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 10.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 10.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-48c2-rrv3-qjmp", "name": "yaml: GHSA-48c2-rrv3-qjmp", "shortDescription": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "fullDescription": {"text": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9jgg-88mc-972h", "name": "webpack-dev-server: GHSA-9jgg-88mc-972h", "shortDescription": {"text": "webpack-dev-server: GHSA-9jgg-88mc-972h"}, "fullDescription": {"text": "webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-79cf-xcqc-c78w", "name": "webpack-dev-server: GHSA-79cf-xcqc-c78w", "shortDescription": {"text": "webpack-dev-server: GHSA-79cf-xcqc-c78w"}, "fullDescription": {"text": "webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4v9v-hfq4-rm2v", "name": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v", "shortDescription": {"text": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v"}, "fullDescription": {"text": "webpack-dev-server users' source code may be stolen when they access a malicious web site"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g9mf-h72j-4rw9", "name": "undici: GHSA-g9mf-h72j-4rw9", "shortDescription": {"text": "undici: GHSA-g9mf-h72j-4rw9"}, "fullDescription": {"text": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4992-7rv2-5pvq", "name": "undici: GHSA-4992-7rv2-5pvq", "shortDescription": {"text": "undici: GHSA-4992-7rv2-5pvq"}, "fullDescription": {"text": "Undici has CRLF Injection in undici via `upgrade` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2mjp-6q6p-2qxm", "name": "undici: GHSA-2mjp-6q6p-2qxm", "shortDescription": {"text": "undici: GHSA-2mjp-6q6p-2qxm"}, "fullDescription": {"text": "Undici has an HTTP Request/Response Smuggling issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v3rj-xjv7-4jmq", "name": "smol-toml: GHSA-v3rj-xjv7-4jmq", "shortDescription": {"text": "smol-toml: GHSA-v3rj-xjv7-4jmq"}, "fullDescription": {"text": "smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qj8w-gfj5-8c6v", "name": "serialize-javascript: GHSA-qj8w-gfj5-8c6v", "shortDescription": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "fullDescription": {"text": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6rw7-vpxm-498p", "name": "qs: GHSA-6rw7-vpxm-498p", "shortDescription": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "fullDescription": {"text": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q6x5-8v7m-xcrf", "name": "protobufjs: GHSA-q6x5-8v7m-xcrf", "shortDescription": {"text": "protobufjs: GHSA-q6x5-8v7m-xcrf"}, "fullDescription": {"text": "protobufjs has overlong UTF-8 decoding"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jggg-4jg4-v7c6", "name": "protobufjs: GHSA-jggg-4jg4-v7c6", "shortDescription": {"text": "protobufjs: GHSA-jggg-4jg4-v7c6"}, "fullDescription": {"text": "protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fx83-v9x8-x52w", "name": "protobufjs: GHSA-fx83-v9x8-x52w", "shortDescription": {"text": "protobufjs: GHSA-fx83-v9x8-x52w"}, "fullDescription": {"text": "protobuf.js: Prototype injection in generated message constructors"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2pr8-phx7-x9h3", "name": "protobufjs: GHSA-2pr8-phx7-x9h3", "shortDescription": {"text": "protobufjs: GHSA-2pr8-phx7-x9h3"}, "fullDescription": {"text": "protobuf.js: Denial of service from crafted field names in generated code"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vvjj-xcjg-gr5g", "name": "nodemailer: GHSA-vvjj-xcjg-gr5g", "shortDescription": {"text": "nodemailer: GHSA-vvjj-xcjg-gr5g"}, "fullDescription": {"text": "Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mm7p-fcc7-pg87", "name": "nodemailer: GHSA-mm7p-fcc7-pg87", "shortDescription": {"text": "nodemailer: GHSA-mm7p-fcc7-pg87"}, "fullDescription": {"text": "Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-65ch-62r8-g69g", "name": "node-forge: GHSA-65ch-62r8-g69g", "shortDescription": {"text": "node-forge: GHSA-65ch-62r8-g69g"}, "fullDescription": {"text": "node-forge is vulnerable to ASN.1 OID Integer Truncation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4fh9-h7wg-q85m", "name": "mdast-util-to-hast: GHSA-4fh9-h7wg-q85m", "shortDescription": {"text": "mdast-util-to-hast: GHSA-4fh9-h7wg-q85m"}, "fullDescription": {"text": "mdast-util-to-hast has unsanitized class attribute"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6vfc-qv3f-vr6c", "name": "markdown-it: GHSA-6vfc-qv3f-vr6c", "shortDescription": {"text": "markdown-it: GHSA-6vfc-qv3f-vr6c"}, "fullDescription": {"text": "Uncontrolled Resource Consumption in markdown-it"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mh29-5h37-fv8m", "name": "js-yaml: GHSA-mh29-5h37-fv8m", "shortDescription": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "fullDescription": {"text": "js-yaml has prototype pollution in merge (<<)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2v4-37r5-5v8g", "name": "ip-address: GHSA-v2v4-37r5-5v8g", "shortDescription": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "fullDescription": {"text": "ip-address has XSS in Address6 HTML-emitting methods"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q89c-q3h5-w34g", "name": "i18next-http-backend: GHSA-q89c-q3h5-w34g", "shortDescription": {"text": "i18next-http-backend: GHSA-q89c-q3h5-w34g"}, "fullDescription": {"text": " i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9gqv-wp59-fq42", "name": "http-proxy-middleware: GHSA-9gqv-wp59-fq42", "shortDescription": {"text": "http-proxy-middleware: GHSA-9gqv-wp59-fq42"}, "fullDescription": {"text": "http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4www-5p9h-95mh", "name": "http-proxy-middleware: GHSA-4www-5p9h-95mh", "shortDescription": {"text": "http-proxy-middleware: GHSA-4www-5p9h-95mh"}, "fullDescription": {"text": "http-proxy-middleware can call writeBody twice because \"else if\" is not used"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7rx3-28cr-v5wh", "name": "handlebars: GHSA-7rx3-28cr-v5wh", "shortDescription": {"text": "handlebars: GHSA-7rx3-28cr-v5wh"}, "fullDescription": {"text": "Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2qvq-rjwj-gvw9", "name": "handlebars: GHSA-2qvq-rjwj-gvw9", "shortDescription": {"text": "handlebars: GHSA-2qvq-rjwj-gvw9"}, "fullDescription": {"text": "Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-72gr-qfp7-vwhw", "name": "h3: GHSA-72gr-qfp7-vwhw", "shortDescription": {"text": "h3: GHSA-72gr-qfp7-vwhw"}, "fullDescription": {"text": "h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4hxc-9384-m385", "name": "h3: GHSA-4hxc-9384-m385", "shortDescription": {"text": "h3: GHSA-4hxc-9384-m385"}, "fullDescription": {"text": "h3: SSE Event Injection via Unsanitized Carriage Return (`\\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r4q5-vmmm-2653", "name": "follow-redirects: GHSA-r4q5-vmmm-2653", "shortDescription": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "fullDescription": {"text": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5v7r-6r5c-r473", "name": "file-type: GHSA-5v7r-6r5c-r473", "shortDescription": {"text": "file-type: GHSA-5v7r-6r5c-r473"}, "fullDescription": {"text": "file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jp2q-39xq-3w4g", "name": "fast-xml-parser: GHSA-jp2q-39xq-3w4g", "shortDescription": {"text": "fast-xml-parser: GHSA-jp2q-39xq-3w4g"}, "fullDescription": {"text": "Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gh4j-gqv2-49f6", "name": "fast-xml-parser: GHSA-gh4j-gqv2-49f6", "shortDescription": {"text": "fast-xml-parser: GHSA-gh4j-gqv2-49f6"}, "fullDescription": {"text": "fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xwr5-m59h-vwqr", "name": "electron: GHSA-xwr5-m59h-vwqr", "shortDescription": {"text": "electron: GHSA-xwr5-m59h-vwqr"}, "fullDescription": {"text": "Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xj5x-m3f3-5x3h", "name": "electron: GHSA-xj5x-m3f3-5x3h", "shortDescription": {"text": "electron: GHSA-xj5x-m3f3-5x3h"}, "fullDescription": {"text": "Electron: Service worker can spoof executeJavaScript IPC replies"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vmqv-hx8q-j7mg", "name": "electron: GHSA-vmqv-hx8q-j7mg", "shortDescription": {"text": "electron: GHSA-vmqv-hx8q-j7mg"}, "fullDescription": {"text": "Electron has ASAR Integrity Bypass via resource modification"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5p7-gp4j-qhrx", "name": "electron: GHSA-r5p7-gp4j-qhrx", "shortDescription": {"text": "electron: GHSA-r5p7-gp4j-qhrx"}, "fullDescription": {"text": "Electron: Incorrect origin passed to permission request handler for iframe requests"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mwmh-mq4g-g6gr", "name": "electron: GHSA-mwmh-mq4g-g6gr", "shortDescription": {"text": "electron: GHSA-mwmh-mq4g-g6gr"}, "fullDescription": {"text": "Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f3pv-wv63-48x8", "name": "electron: GHSA-f3pv-wv63-48x8", "shortDescription": {"text": "electron: GHSA-f3pv-wv63-48x8"}, "fullDescription": {"text": "Electron: Named window.open targets not scoped to the opener's browsing context"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9w97-2464-8783", "name": "electron: GHSA-9w97-2464-8783", "shortDescription": {"text": "electron: GHSA-9w97-2464-8783"}, "fullDescription": {"text": "Electron: Use-after-free in download save dialog callback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5rqw-r77c-jp79", "name": "electron: GHSA-5rqw-r77c-jp79", "shortDescription": {"text": "electron: GHSA-5rqw-r77c-jp79"}, "fullDescription": {"text": "Electron: AppleScript injection in app.moveToApplicationsFolder on macOS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4p4r-m79c-wq3v", "name": "electron: GHSA-4p4r-m79c-wq3v", "shortDescription": {"text": "electron: GHSA-4p4r-m79c-wq3v"}, "fullDescription": {"text": "Electron: HTTP Response Header Injection in custom protocol handlers and webRequest"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3c8v-cfp5-9885", "name": "electron: GHSA-3c8v-cfp5-9885", "shortDescription": {"text": "electron: GHSA-3c8v-cfp5-9885"}, "fullDescription": {"text": "Electron: Out-of-bounds read in second-instance IPC on macOS and Linux"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xx6v-rp6x-q39c", "name": "axios: GHSA-xx6v-rp6x-q39c", "shortDescription": {"text": "axios: GHSA-xx6v-rp6x-q39c"}, "fullDescription": {"text": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w9j2-pvgh-6h63", "name": "axios: GHSA-w9j2-pvgh-6h63", "shortDescription": {"text": "axios: GHSA-w9j2-pvgh-6h63"}, "fullDescription": {"text": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vf2m-468p-8v99", "name": "axios: GHSA-vf2m-468p-8v99", "shortDescription": {"text": "axios: GHSA-vf2m-468p-8v99"}, "fullDescription": {"text": "Axios: HTTP adapter streamed responses bypass maxContentLength"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m7pr-hjqh-92cm", "name": "axios: GHSA-m7pr-hjqh-92cm", "shortDescription": {"text": "axios: GHSA-m7pr-hjqh-92cm"}, "fullDescription": {"text": "Axios: no_proxy bypass via IP alias allows SSRF"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fvcv-3m26-pcqx", "name": "axios: GHSA-fvcv-3m26-pcqx", "shortDescription": {"text": "axios: GHSA-fvcv-3m26-pcqx"}, "fullDescription": {"text": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-898c-q2cr-xwhg", "name": "axios: GHSA-898c-q2cr-xwhg", "shortDescription": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "fullDescription": {"text": "axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-62hf-57xw-28j9", "name": "axios: GHSA-62hf-57xw-28j9", "shortDescription": {"text": "axios: GHSA-62hf-57xw-28j9"}, "fullDescription": {"text": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c9x-8gcm-mpgx", "name": "axios: GHSA-5c9x-8gcm-mpgx", "shortDescription": {"text": "axios: GHSA-5c9x-8gcm-mpgx"}, "fullDescription": {"text": "Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-445q-vr5w-6q77", "name": "axios: GHSA-445q-vr5w-6q77", "shortDescription": {"text": "axios: GHSA-445q-vr5w-6q77"}, "fullDescription": {"text": "Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3w6x-2g7m-8v23", "name": "axios: GHSA-3w6x-2g7m-8v23", "shortDescription": {"text": "axios: GHSA-3w6x-2g7m-8v23"}, "fullDescription": {"text": "Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j687-52p2-xcff", "name": "astro: GHSA-j687-52p2-xcff", "shortDescription": {"text": "astro: GHSA-j687-52p2-xcff"}, "fullDescription": {"text": "Astro: XSS in define:vars via incomplete </script> tag sanitization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9f3f-wv7r-qc8r", "name": "github.com/pion/dtls/v3: GHSA-9f3f-wv7r-qc8r", "shortDescription": {"text": "github.com/pion/dtls/v3: GHSA-9f3f-wv7r-qc8r"}, "fullDescription": {"text": "Pion DTLS's usage of random nonce generation with AES GCM ciphers risks leaking the authentication key"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w239-58x2-q8p5", "name": "github.com/ipld/go-ipld-prime: GHSA-w239-58x2-q8p5", "shortDescription": {"text": "github.com/ipld/go-ipld-prime: GHSA-w239-58x2-q8p5"}, "fullDescription": {"text": "go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-378j-3jfj-8r9f", "name": "github.com/ipld/go-ipld-prime: GHSA-378j-3jfj-8r9f", "shortDescription": {"text": "github.com/ipld/go-ipld-prime: GHSA-378j-3jfj-8r9f"}, "fullDescription": {"text": "go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5pp-99ch-qj29", "name": "github.com/go-git/go-git/v5: GHSA-w5pp-99ch-qj29", "shortDescription": {"text": "github.com/go-git/go-git/v5: GHSA-w5pp-99ch-qj29"}, "fullDescription": {"text": "go-git: Malformed Git object data may cause panics or resource exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-crhj-59gh-8x96", "name": "github.com/go-git/go-git/v5: GHSA-crhj-59gh-8x96", "shortDescription": {"text": "github.com/go-git/go-git/v5: GHSA-crhj-59gh-8x96"}, "fullDescription": {"text": "go-git: Crafted repositories may modify main and submodule .git directories"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3xc5-wrhm-f963", "name": "github.com/go-git/go-git/v5: GHSA-3xc5-wrhm-f963", "shortDescription": {"text": "github.com/go-git/go-git/v5: GHSA-3xc5-wrhm-f963"}, "fullDescription": {"text": "go-git: Credential leak via cross-host redirect in smart HTTP transport"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m3xc-h892-ggx6", "name": "github.com/go-git/go-billy/v5: GHSA-m3xc-h892-ggx6", "shortDescription": {"text": "github.com/go-git/go-billy/v5: GHSA-m3xc-h892-ggx6"}, "fullDescription": {"text": "go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vrw8-fxc6-2r93", "name": "github.com/go-chi/chi/v5: GHSA-vrw8-fxc6-2r93", "shortDescription": {"text": "github.com/go-chi/chi/v5: GHSA-vrw8-fxc6-2r93"}, "fullDescription": {"text": "chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vp62-88p7-qqf5", "name": "github.com/docker/docker: GHSA-vp62-88p7-qqf5", "shortDescription": {"text": "github.com/docker/docker: GHSA-vp62-88p7-qqf5"}, "fullDescription": {"text": "Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xmrv-pmrh-hhx2", "name": "github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: GHSA-xmrv-pmrh-hhx2", "shortDescription": {"text": "github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: GHSA-xmrv-pmrh-hhx2"}, "fullDescription": {"text": "Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC112", "name": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/templa", "shortDescription": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "fullDescription": {"text": "Use `html/template` (NOT `text/template`) for HTML responses. Never wrap user input with `template.HTML/JS/URL`."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@config-plugins/react-native-webrtc` is 5 major version(s) behind (10.0.0 -> 15.0.1)", "shortDescription": {"text": "npm package `@config-plugins/react-native-webrtc` is 5 major version(s) behind (10.0.0 -> 15.0.1)"}, "fullDescription": {"text": "`@config-plugins/react-native-webrtc` is pinned/resolved at 10.0.0 but the latest stable release on the npm registry is 15.0.1 (5 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-8fgc-7cc6-rx7x", "name": "webpack: GHSA-8fgc-7cc6-rx7x", "shortDescription": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "fullDescription": {"text": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38r7-794h-5758", "name": "webpack: GHSA-38r7-794h-5758", "shortDescription": {"text": "webpack: GHSA-38r7-794h-5758"}, "fullDescription": {"text": "webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects \u2192 SSRF + cache persistence"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-52f5-9888-hmc6", "name": "tmp: GHSA-52f5-9888-hmc6", "shortDescription": {"text": "tmp: GHSA-52f5-9888-hmc6"}, "fullDescription": {"text": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w7fw-mjwx-w883", "name": "qs: GHSA-w7fw-mjwx-w883", "shortDescription": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "fullDescription": {"text": "qs's arrayLimit bypass in comma parsing allows denial of service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-76c9-3jph-rj3q", "name": "on-headers: GHSA-76c9-3jph-rj3q", "shortDescription": {"text": "on-headers: GHSA-76c9-3jph-rj3q"}, "fullDescription": {"text": "on-headers is vulnerable to http response header manipulation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c7w3-x93f-qmm8", "name": "nodemailer: GHSA-c7w3-x93f-qmm8", "shortDescription": {"text": "nodemailer: GHSA-c7w3-x93f-qmm8"}, "fullDescription": {"text": "Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-442j-39wm-28r2", "name": "handlebars: GHSA-442j-39wm-28r2", "shortDescription": {"text": "handlebars: GHSA-442j-39wm-28r2"}, "fullDescription": {"text": "Handlebars.js has a Property Access Validation Bypass in container.lookup"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fj3w-jwp8-x2g3", "name": "fast-xml-parser: GHSA-fj3w-jwp8-x2g3", "shortDescription": {"text": "fast-xml-parser: GHSA-fj3w-jwp8-x2g3"}, "fullDescription": {"text": "fast-xml-parser has stack overflow in XMLBuilder with preserveOrder"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-848j-6mx2-7j84", "name": "elliptic: GHSA-848j-6mx2-7j84", "shortDescription": {"text": "elliptic: GHSA-848j-6mx2-7j84"}, "fullDescription": {"text": "Elliptic Uses a Cryptographic Primitive with a Risky Implementation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jfqx-fxh3-c62j", "name": "electron: GHSA-jfqx-fxh3-c62j", "shortDescription": {"text": "electron: GHSA-jfqx-fxh3-c62j"}, "fullDescription": {"text": "Electron: Unquoted executable path in app.setLoginItemSettings on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f37v-82c4-4x64", "name": "electron: GHSA-f37v-82c4-4x64", "shortDescription": {"text": "electron: GHSA-f37v-82c4-4x64"}, "fullDescription": {"text": "Electron: Crash in clipboard.readImage() on malformed clipboard image data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9899-m83m-qhpj", "name": "electron: GHSA-9899-m83m-qhpj", "shortDescription": {"text": "electron: GHSA-9899-m83m-qhpj"}, "fullDescription": {"text": "Electron: USB device selection not validated against filtered device list"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8x5q-pvf5-64mp", "name": "electron: GHSA-8x5q-pvf5-64mp", "shortDescription": {"text": "electron: GHSA-8x5q-pvf5-64mp"}, "fullDescription": {"text": "Electron: Use-after-free in offscreen shared texture release() callback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-73rr-hh4g-fpgx", "name": "diff: GHSA-73rr-hh4g-fpgx", "shortDescription": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "fullDescription": {"text": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pxg6-pf52-xh8x", "name": "cookie: GHSA-pxg6-pf52-xh8x", "shortDescription": {"text": "cookie: GHSA-pxg6-pf52-xh8x"}, "fullDescription": {"text": "cookie accepts cookie name, path, and domain with out of bounds characters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v6h2-p8h4-qcjw", "name": "brace-expansion: GHSA-v6h2-p8h4-qcjw", "shortDescription": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "fullDescription": {"text": "brace-expansion Regular Expression Denial of Service vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xhjh-pmcv-23jw", "name": "axios: GHSA-xhjh-pmcv-23jw", "shortDescription": {"text": "axios: GHSA-xhjh-pmcv-23jw"}, "fullDescription": {"text": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xr5h-phrj-8vxv", "name": "astro: GHSA-xr5h-phrj-8vxv", "shortDescription": {"text": "astro: GHSA-xr5h-phrj-8vxv"}, "fullDescription": {"text": "Astro: Server island encrypted parameters vulnerable to cross-component replay"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vpq2-c234-7xj6", "name": "@tootallnate/once: GHSA-vpq2-c234-7xj6", "shortDescription": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "fullDescription": {"text": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6475-r3vj-m8vf", "name": "@smithy/config-resolver: GHSA-6475-r3vj-m8vf", "shortDescription": {"text": "@smithy/config-resolver: GHSA-6475-r3vj-m8vf"}, "fullDescription": {"text": "AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j88v-2chj-qfwx", "name": "github.com/jackc/pgx/v5: GHSA-j88v-2chj-qfwx", "shortDescription": {"text": "github.com/jackc/pgx/v5: GHSA-j88v-2chj-qfwx"}, "fullDescription": {"text": "pgx: SQL Injection via placeholder confusion with dollar quoted string literals"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m7cr-m3pv-hgrp", "name": "github.com/go-git/go-git/v5: GHSA-m7cr-m3pv-hgrp", "shortDescription": {"text": "github.com/go-git/go-git/v5: GHSA-m7cr-m3pv-hgrp"}, "fullDescription": {"text": "go-git: Improper single-quote escaping in go-git SSH transport"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4vq8-7jfc-9cvp", "name": "github.com/docker/docker: GHSA-4vq8-7jfc-9cvp", "shortDescription": {"text": "github.com/docker/docker: GHSA-4vq8-7jfc-9cvp"}, "fullDescription": {"text": "Moby firewalld reload removes bridge network isolation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9c48-w39g-hm26", "name": "rsa: GHSA-9c48-w39g-hm26", "shortDescription": {"text": "rsa: GHSA-9c48-w39g-hm26"}, "fullDescription": {"text": "rsa crate has potential panic on a prime being equal to 1"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.", "shortDescription": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 22 more): Same pattern found in 22 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC111", "name": "[SEC111] Django mark_safe / |safe filter on user data (and 3 more): Same pattern found in 3 additional files. Review if ", "shortDescription": {"text": "[SEC111] Django mark_safe / |safe filter on user data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use `django.utils.html.format_html(\"<p>{}</p>\", user_input)` \u2014 Django will escape the placeholder. Or escape explicitly with `django.utils.html.escape()`. Only use `mark_safe` on string literals."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED088", "name": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks.", "shortDescription": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 47 more): Same pattern found in 47 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 42 more): Same pattern found in 42 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 43 more): Same pattern found in 43 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 43 more): Same pattern found in 43 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 83 more): Same pattern found in 83 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 83 more): Same pattern found in 83 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 18 more): Same pattern found in 18 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /clip/:did/clip.mp4."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /clip/:did/clip.mp4."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "RUSTSEC-2025-0055", "name": "tracing-subscriber: RUSTSEC-2025-0055", "shortDescription": {"text": "tracing-subscriber: RUSTSEC-2025-0055"}, "fullDescription": {"text": "Logging user input may result in poisoning logs with ANSI escape sequences"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0009", "name": "time: RUSTSEC-2026-0009", "shortDescription": {"text": "time: RUSTSEC-2026-0009"}, "fullDescription": {"text": "Denial of Service via Stack Exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0047", "name": "slab: RUSTSEC-2025-0047", "shortDescription": {"text": "slab: RUSTSEC-2025-0047"}, "fullDescription": {"text": "Out-of-bounds access in `get_disjoint_mut` due to incorrect bounds check"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0104", "name": "rustls-webpki: RUSTSEC-2026-0104", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0104"}, "fullDescription": {"text": "Reachable panic in certificate revocation list parsing"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0099", "name": "rustls-webpki: RUSTSEC-2026-0099", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0099"}, "fullDescription": {"text": "Name constraints were accepted for certificates asserting a wildcard name"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0098", "name": "rustls-webpki: RUSTSEC-2026-0098", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0098"}, "fullDescription": {"text": "Name constraints for URI names were incorrectly accepted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0049", "name": "rustls-webpki: RUSTSEC-2026-0049", "shortDescription": {"text": "rustls-webpki: RUSTSEC-2026-0049"}, "fullDescription": {"text": "CRLs not considered authoritative by Distribution Point due to faulty matching logic"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0097", "name": "rand: RUSTSEC-2026-0097", "shortDescription": {"text": "rand: RUSTSEC-2026-0097"}, "fullDescription": {"text": "Rand is unsound with a custom logger using `rand::rng()`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0037", "name": "quinn-proto: RUSTSEC-2026-0037", "shortDescription": {"text": "quinn-proto: RUSTSEC-2026-0037"}, "fullDescription": {"text": "Denial of service in Quinn endpoints"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0436", "name": "paste: RUSTSEC-2024-0436", "shortDescription": {"text": "paste: RUSTSEC-2024-0436"}, "fullDescription": {"text": "paste - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0002", "name": "lru: RUSTSEC-2026-0002", "shortDescription": {"text": "lru: RUSTSEC-2026-0002"}, "fullDescription": {"text": "`IterMut` violates Stacked Borrows by invalidating internal pointer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0384", "name": "instant: RUSTSEC-2024-0384", "shortDescription": {"text": "instant: RUSTSEC-2024-0384"}, "fullDescription": {"text": "`instant` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0119", "name": "hickory-proto: RUSTSEC-2026-0119", "shortDescription": {"text": "hickory-proto: RUSTSEC-2026-0119"}, "fullDescription": {"text": "CPU exhaustion during message encoding due to O(n\u00b2) name compression"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0118", "name": "hickory-proto: RUSTSEC-2026-0118", "shortDescription": {"text": "hickory-proto: RUSTSEC-2026-0118"}, "fullDescription": {"text": "NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2026-0007", "name": "bytes: RUSTSEC-2026-0007", "shortDescription": {"text": "bytes: RUSTSEC-2026-0007"}, "fullDescription": {"text": "Integer overflow in `BytesMut::reserve`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0141", "name": "bincode: RUSTSEC-2025-0141", "shortDescription": {"text": "bincode: RUSTSEC-2025-0141"}, "fullDescription": {"text": "Bincode is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2023-0089", "name": "atomic-polyfill: RUSTSEC-2023-0089", "shortDescription": {"text": "atomic-polyfill: RUSTSEC-2023-0089"}, "fullDescription": {"text": "atomic-polyfill is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p9ff-h696-f583", "name": "vite: GHSA-p9ff-h696-f583", "shortDescription": {"text": "vite: GHSA-p9ff-h696-f583"}, "fullDescription": {"text": "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vrm6-8vpv-qv8q", "name": "undici: GHSA-vrm6-8vpv-qv8q", "shortDescription": {"text": "undici: GHSA-vrm6-8vpv-qv8q"}, "fullDescription": {"text": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v9p9-hfj2-hcw8", "name": "undici: GHSA-v9p9-hfj2-hcw8", "shortDescription": {"text": "undici: GHSA-v9p9-hfj2-hcw8"}, "fullDescription": {"text": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f269-vfmq-vjvj", "name": "undici: GHSA-f269-vfmq-vjvj", "shortDescription": {"text": "undici: GHSA-f269-vfmq-vjvj"}, "fullDescription": {"text": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ph9p-34f9-6g65", "name": "tmp: GHSA-ph9p-34f9-6g65", "shortDescription": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "fullDescription": {"text": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vj76-c3g6-qr5v", "name": "tar-fs: GHSA-vj76-c3g6-qr5v", "shortDescription": {"text": "tar-fs: GHSA-vj76-c3g6-qr5v"}, "fullDescription": {"text": "tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8cj5-5rvv-wf4v", "name": "tar-fs: GHSA-8cj5-5rvv-wf4v", "shortDescription": {"text": "tar-fs: GHSA-8cj5-5rvv-wf4v"}, "fullDescription": {"text": "tar-fs can extract outside the specified dir with a specific tarball"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r6q2-hw4h-h46w", "name": "tar: GHSA-r6q2-hw4h-h46w", "shortDescription": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "fullDescription": {"text": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qffp-2rhf-9h96", "name": "tar: GHSA-qffp-2rhf-9h96", "shortDescription": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "fullDescription": {"text": "tar has Hardlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9ppj-qmqm-q256", "name": "tar: GHSA-9ppj-qmqm-q256", "shortDescription": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "fullDescription": {"text": "node-tar Symlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8qq5-rm4j-mr97", "name": "tar: GHSA-8qq5-rm4j-mr97", "shortDescription": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "fullDescription": {"text": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-83g3-92jg-28cx", "name": "tar: GHSA-83g3-92jg-28cx", "shortDescription": {"text": "tar: GHSA-83g3-92jg-28cx"}, "fullDescription": {"text": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-34x7-hfp2-rc4v", "name": "tar: GHSA-34x7-hfp2-rc4v", "shortDescription": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "fullDescription": {"text": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c6j-r48x-rmvq", "name": "serialize-javascript: GHSA-5c6j-r48x-rmvq", "shortDescription": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "fullDescription": {"text": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mw96-cpmx-2vgc", "name": "rollup: GHSA-mw96-cpmx-2vgc", "shortDescription": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "fullDescription": {"text": "Rollup 4 has Arbitrary File Write via Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jvwf-75h9-cwgg", "name": "protobufjs: GHSA-jvwf-75h9-cwgg", "shortDescription": {"text": "protobufjs: GHSA-jvwf-75h9-cwgg"}, "fullDescription": {"text": "protobuf.js: Process-wide denial of service through unsafe option paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-75px-5xx7-5xc7", "name": "protobufjs: GHSA-75px-5xx7-5xc7", "shortDescription": {"text": "protobufjs: GHSA-75px-5xx7-5xc7"}, "fullDescription": {"text": "protobuf.js: Code generation gadget after prototype pollution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-685m-2w69-288q", "name": "protobufjs: GHSA-685m-2w69-288q", "shortDescription": {"text": "protobufjs: GHSA-685m-2w69-288q"}, "fullDescription": {"text": "protobuf.js: Denial of service through unbounded protobuf recursion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-66ff-xgx4-vchm", "name": "protobufjs: GHSA-66ff-xgx4-vchm", "shortDescription": {"text": "protobufjs: GHSA-66ff-xgx4-vchm"}, "fullDescription": {"text": "protobuf.js: Code injection through bytes field defaults in generated toObject code"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rhx6-c78j-4q9w", "name": "path-to-regexp: GHSA-rhx6-c78j-4q9w", "shortDescription": {"text": "path-to-regexp: GHSA-rhx6-c78j-4q9w"}, "fullDescription": {"text": "path-to-regexp contains a ReDoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-37ch-88jc-xwx2", "name": "path-to-regexp: GHSA-37ch-88jc-xwx2", "shortDescription": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "fullDescription": {"text": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rcmh-qjqh-p98v", "name": "nodemailer: GHSA-rcmh-qjqh-p98v", "shortDescription": {"text": "nodemailer: GHSA-rcmh-qjqh-p98v"}, "fullDescription": {"text": "Nodemailer\u2019s addressparser is vulnerable to DoS caused by recursive calls"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q67f-28xg-22rw", "name": "node-forge: GHSA-q67f-28xg-22rw", "shortDescription": {"text": "node-forge: GHSA-q67f-28xg-22rw"}, "fullDescription": {"text": "Forge has signature forgery in Ed25519 due to missing S > L check"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ppp5-5v6c-4jwp", "name": "node-forge: GHSA-ppp5-5v6c-4jwp", "shortDescription": {"text": "node-forge: GHSA-ppp5-5v6c-4jwp"}, "fullDescription": {"text": "Forge has signature forgery in RSA-PKCS due to ASN.1 extra field  "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5m6q-g25r-mvwx", "name": "node-forge: GHSA-5m6q-g25r-mvwx", "shortDescription": {"text": "node-forge: GHSA-5m6q-g25r-mvwx"}, "fullDescription": {"text": "Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5gfm-wpxj-wjgq", "name": "node-forge: GHSA-5gfm-wpxj-wjgq", "shortDescription": {"text": "node-forge: GHSA-5gfm-wpxj-wjgq"}, "fullDescription": {"text": "node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-554w-wpv2-vw27", "name": "node-forge: GHSA-554w-wpv2-vw27", "shortDescription": {"text": "node-forge: GHSA-554w-wpv2-vw27"}, "fullDescription": {"text": "node-forge has ASN.1 Unbounded Recursion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2328-f5f3-gj25", "name": "node-forge: GHSA-2328-f5f3-gj25", "shortDescription": {"text": "node-forge: GHSA-2328-f5f3-gj25"}, "fullDescription": {"text": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8cpq-38p9-67gx", "name": "kysely: GHSA-8cpq-38p9-67gx", "shortDescription": {"text": "kysely: GHSA-8cpq-38p9-67gx"}, "fullDescription": {"text": "Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-869p-cjfg-cm3x", "name": "jws: GHSA-869p-cjfg-cm3x", "shortDescription": {"text": "jws: GHSA-869p-cjfg-cm3x"}, "fullDescription": {"text": "auth0/node-jws Improperly Verifies HMAC Signature"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m5qc-5hw7-8vg7", "name": "image-size: GHSA-m5qc-5hw7-8vg7", "shortDescription": {"text": "image-size: GHSA-m5qc-5hw7-8vg7"}, "fullDescription": {"text": "image-size Denial of Service via Infinite Loop during Image Processing"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c7qv-q95q-8v27", "name": "http-proxy-middleware: GHSA-c7qv-q95q-8v27", "shortDescription": {"text": "http-proxy-middleware: GHSA-c7qv-q95q-8v27"}, "fullDescription": {"text": "Denial of service in http-proxy-middleware"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xjpj-3mr7-gcpf", "name": "handlebars: GHSA-xjpj-3mr7-gcpf", "shortDescription": {"text": "handlebars: GHSA-xjpj-3mr7-gcpf"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xhpv-hc6g-r9c6", "name": "handlebars: GHSA-xhpv-hc6g-r9c6", "shortDescription": {"text": "handlebars: GHSA-xhpv-hc6g-r9c6"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9cx6-37pm-9jff", "name": "handlebars: GHSA-9cx6-37pm-9jff", "shortDescription": {"text": "handlebars: GHSA-9cx6-37pm-9jff"}, "fullDescription": {"text": "Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3mfm-83xf-c92r", "name": "handlebars: GHSA-3mfm-83xf-c92r", "shortDescription": {"text": "handlebars: GHSA-3mfm-83xf-c92r"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5j98-mcp5-4vw2", "name": "glob: GHSA-5j98-mcp5-4vw2", "shortDescription": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "fullDescription": {"text": "glob CLI: Command injection via -c/--cmd executes matches with shell:true"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rf6f-7fwh-wjgh", "name": "flatted: GHSA-rf6f-7fwh-wjgh", "shortDescription": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "fullDescription": {"text": "Prototype Pollution via parse() in NodeJS flatted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-25h7-pfq9-p65f", "name": "flatted: GHSA-25h7-pfq9-p65f", "shortDescription": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "fullDescription": {"text": "flatted vulnerable to unbounded recursion DoS in parse() revive phase"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8gc5-j5rx-235r", "name": "fast-xml-parser: GHSA-8gc5-j5rx-235r", "shortDescription": {"text": "fast-xml-parser: GHSA-8gc5-j5rx-235r"}, "fullDescription": {"text": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5wm8-gmm8-39j9", "name": "fast-xml-builder: GHSA-5wm8-gmm8-39j9", "shortDescription": {"text": "fast-xml-builder: GHSA-5wm8-gmm8-39j9"}, "fullDescription": {"text": "fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v39h-62p7-jpjc", "name": "fast-uri: GHSA-v39h-62p7-jpjc", "shortDescription": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "fullDescription": {"text": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3j6-qgpj-74h6", "name": "fast-uri: GHSA-q3j6-qgpj-74h6", "shortDescription": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "fullDescription": {"text": "fast-uri vulnerable to path traversal via percent-encoded dot segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jjp3-mq3x-295m", "name": "electron: GHSA-jjp3-mq3x-295m", "shortDescription": {"text": "electron: GHSA-jjp3-mq3x-295m"}, "fullDescription": {"text": "Electron: Use-after-free in PowerMonitor on Windows and macOS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9wfr-w7mm-pc7f", "name": "electron: GHSA-9wfr-w7mm-pc7f", "shortDescription": {"text": "electron: GHSA-9wfr-w7mm-pc7f"}, "fullDescription": {"text": "Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8337-3p73-46f4", "name": "electron: GHSA-8337-3p73-46f4", "shortDescription": {"text": "electron: GHSA-8337-3p73-46f4"}, "fullDescription": {"text": "Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-532v-xpq5-8h95", "name": "electron: GHSA-532v-xpq5-8h95", "shortDescription": {"text": "electron: GHSA-532v-xpq5-8h95"}, "fullDescription": {"text": "Electron: Use-after-free in offscreen child window paint callback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-77vg-94rm-hx3p", "name": "devalue: GHSA-77vg-94rm-hx3p", "shortDescription": {"text": "devalue: GHSA-77vg-94rm-hx3p"}, "fullDescription": {"text": "Svelte devalue: DoS via sparse array deserialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-737v-mqg7-c878", "name": "defu: GHSA-737v-mqg7-c878", "shortDescription": {"text": "defu: GHSA-737v-mqg7-c878"}, "fullDescription": {"text": "defu: Prototype pollution via `__proto__` key in defaults argument"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3xgq-45jj-v275", "name": "cross-spawn: GHSA-3xgq-45jj-v275", "shortDescription": {"text": "cross-spawn: GHSA-3xgq-45jj-v275"}, "fullDescription": {"text": "Regular Expression Denial of Service (ReDoS) in cross-spawn"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8qp-cvcw-x6jj", "name": "axios: GHSA-q8qp-cvcw-x6jj", "shortDescription": {"text": "axios: GHSA-q8qp-cvcw-x6jj"}, "fullDescription": {"text": "Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pf86-5x62-jrwf", "name": "axios: GHSA-pf86-5x62-jrwf", "shortDescription": {"text": "axios: GHSA-pf86-5x62-jrwf"}, "fullDescription": {"text": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p92q-9vqr-4j8v", "name": "axios: GHSA-p92q-9vqr-4j8v", "shortDescription": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "fullDescription": {"text": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j5f8-grm9-p9fc", "name": "axios: GHSA-j5f8-grm9-p9fc", "shortDescription": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "fullDescription": {"text": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hfxv-24rg-xrqf", "name": "axios: GHSA-hfxv-24rg-xrqf", "shortDescription": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "fullDescription": {"text": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-777c-7fjr-54vf", "name": "axios: GHSA-777c-7fjr-54vf", "shortDescription": {"text": "axios: GHSA-777c-7fjr-54vf"}, "fullDescription": {"text": "Allocation of Resources Without Limits or Throttling in Axios"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6chq-wfr3-2hj9", "name": "axios: GHSA-6chq-wfr3-2hj9", "shortDescription": {"text": "axios: GHSA-6chq-wfr3-2hj9"}, "fullDescription": {"text": "Axios: Header Injection via Prototype Pollution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pjwm-pj3p-43mv", "name": "axios: GHSA-pjwm-pj3p-43mv", "shortDescription": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "fullDescription": {"text": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3g43-6gmg-66jw", "name": "axios: GHSA-3g43-6gmg-66jw", "shortDescription": {"text": "axios: GHSA-3g43-6gmg-66jw"}, "fullDescription": {"text": "axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-35jp-ww65-95wh", "name": "axios: GHSA-35jp-ww65-95wh", "shortDescription": {"text": "axios: GHSA-35jp-ww65-95wh"}, "fullDescription": {"text": "axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x6wf-f3px-wcqx", "name": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx", "shortDescription": {"text": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx"}, "fullDescription": {"text": "xmldom has XML node injection through unvalidated processing instruction serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wh4c-j3r5-mjhp", "name": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp", "shortDescription": {"text": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp"}, "fullDescription": {"text": "xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j759-j44w-7fr8", "name": "@xmldom/xmldom: GHSA-j759-j44w-7fr8", "shortDescription": {"text": "@xmldom/xmldom: GHSA-j759-j44w-7fr8"}, "fullDescription": {"text": "xmldom has XML node injection through unvalidated comment serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f6ww-3ggp-fr8h", "name": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h", "shortDescription": {"text": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h"}, "fullDescription": {"text": "xmldom has XML injection through unvalidated DocumentType serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2v35-w6hq-6mfw", "name": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw", "shortDescription": {"text": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw"}, "fullDescription": {"text": "xmldom: Uncontrolled recursion in XML serialization leads to DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jg4p-7fhp-p32p", "name": "@hapi/content: GHSA-jg4p-7fhp-p32p", "shortDescription": {"text": "@hapi/content: GHSA-jg4p-7fhp-p32p"}, "fullDescription": {"text": "@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-36hh-x5p5-jgc8", "name": "@hapi/content: GHSA-36hh-x5p5-jgc8", "shortDescription": {"text": "@hapi/content: GHSA-36hh-x5p5-jgc8"}, "fullDescription": {"text": "@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5039", "name": "stdlib: GO-2026-5039", "shortDescription": {"text": "stdlib: GO-2026-5039"}, "fullDescription": {"text": "Arbitrary inputs are included in errors without any escaping in net/textproto"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5038", "name": "stdlib: GO-2026-5038", "shortDescription": {"text": "stdlib: GO-2026-5038"}, "fullDescription": {"text": "Quadratic complexity in WordDecoder.DecodeHeader in mime"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5037", "name": "stdlib: GO-2026-5037", "shortDescription": {"text": "stdlib: GO-2026-5037"}, "fullDescription": {"text": "Inefficient candidate hostname parsing in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4986", "name": "stdlib: GO-2026-4986", "shortDescription": {"text": "stdlib: GO-2026-4986"}, "fullDescription": {"text": "Quadratic string concatentation in consumeComment in net/mail"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4982", "name": "stdlib: GO-2026-4982", "shortDescription": {"text": "stdlib: GO-2026-4982"}, "fullDescription": {"text": "Bypass of meta content URL escaping causes XSS in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4981", "name": "stdlib: GO-2026-4981", "shortDescription": {"text": "stdlib: GO-2026-4981"}, "fullDescription": {"text": "Crash when handling long CNAME response in net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4980", "name": "stdlib: GO-2026-4980", "shortDescription": {"text": "stdlib: GO-2026-4980"}, "fullDescription": {"text": "Escaper bypass leads to XSS in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4977", "name": "stdlib: GO-2026-4977", "shortDescription": {"text": "stdlib: GO-2026-4977"}, "fullDescription": {"text": "Quadratic string concatenation in consumePhrase in net/mail"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4976", "name": "stdlib: GO-2026-4976", "shortDescription": {"text": "stdlib: GO-2026-4976"}, "fullDescription": {"text": "ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4971", "name": "stdlib: GO-2026-4971", "shortDescription": {"text": "stdlib: GO-2026-4971"}, "fullDescription": {"text": "Panic in Dial and LookupPort when handling NUL byte on Windows in net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4947", "name": "stdlib: GO-2026-4947", "shortDescription": {"text": "stdlib: GO-2026-4947"}, "fullDescription": {"text": "Unexpected work during chain building in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4946", "name": "stdlib: GO-2026-4946", "shortDescription": {"text": "stdlib: GO-2026-4946"}, "fullDescription": {"text": "Inefficient policy validation in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4918", "name": "stdlib: GO-2026-4918", "shortDescription": {"text": "stdlib: GO-2026-4918"}, "fullDescription": {"text": "Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4870", "name": "stdlib: GO-2026-4870", "shortDescription": {"text": "stdlib: GO-2026-4870"}, "fullDescription": {"text": "Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4869", "name": "stdlib: GO-2026-4869", "shortDescription": {"text": "stdlib: GO-2026-4869"}, "fullDescription": {"text": "Unbounded allocation for old GNU sparse in archive/tar"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4865", "name": "stdlib: GO-2026-4865", "shortDescription": {"text": "stdlib: GO-2026-4865"}, "fullDescription": {"text": "JsBraceDepth Context Tracking Bugs (XSS) in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4864", "name": "stdlib: GO-2026-4864", "shortDescription": {"text": "stdlib: GO-2026-4864"}, "fullDescription": {"text": "TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4603", "name": "stdlib: GO-2026-4603", "shortDescription": {"text": "stdlib: GO-2026-4603"}, "fullDescription": {"text": "URLs in meta content attribute actions are not escaped in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4602", "name": "stdlib: GO-2026-4602", "shortDescription": {"text": "stdlib: GO-2026-4602"}, "fullDescription": {"text": "FileInfo can escape from a Root in os"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4601", "name": "stdlib: GO-2026-4601", "shortDescription": {"text": "stdlib: GO-2026-4601"}, "fullDescription": {"text": "Incorrect parsing of IPv6 host literals in net/url"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4342", "name": "stdlib: GO-2026-4342", "shortDescription": {"text": "stdlib: GO-2026-4342"}, "fullDescription": {"text": "Excessive CPU consumption when building archive index in archive/zip"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4341", "name": "stdlib: GO-2026-4341", "shortDescription": {"text": "stdlib: GO-2026-4341"}, "fullDescription": {"text": "Memory exhaustion in query parameter parsing in net/url"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4340", "name": "stdlib: GO-2026-4340", "shortDescription": {"text": "stdlib: GO-2026-4340"}, "fullDescription": {"text": "Handshake messages may be processed at the incorrect encryption level in crypto/tls"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4337", "name": "stdlib: GO-2026-4337", "shortDescription": {"text": "stdlib: GO-2026-4337"}, "fullDescription": {"text": "Unexpected session resumption in crypto/tls"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4175", "name": "stdlib: GO-2025-4175", "shortDescription": {"text": "stdlib: GO-2025-4175"}, "fullDescription": {"text": "Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4155", "name": "stdlib: GO-2025-4155", "shortDescription": {"text": "stdlib: GO-2025-4155"}, "fullDescription": {"text": "Excessive resource consumption when printing error string for host certificate validation in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4015", "name": "stdlib: GO-2025-4015", "shortDescription": {"text": "stdlib: GO-2025-4015"}, "fullDescription": {"text": "Excessive CPU consumption in Reader.ReadResponse in net/textproto"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4014", "name": "stdlib: GO-2025-4014", "shortDescription": {"text": "stdlib: GO-2025-4014"}, "fullDescription": {"text": "Unbounded allocation when parsing GNU sparse map in archive/tar"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4013", "name": "stdlib: GO-2025-4013", "shortDescription": {"text": "stdlib: GO-2025-4013"}, "fullDescription": {"text": "Panic when validating certificates with DSA public keys in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4012", "name": "stdlib: GO-2025-4012", "shortDescription": {"text": "stdlib: GO-2025-4012"}, "fullDescription": {"text": "Lack of limit when parsing cookies can cause memory exhaustion in net/http"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4011", "name": "stdlib: GO-2025-4011", "shortDescription": {"text": "stdlib: GO-2025-4011"}, "fullDescription": {"text": "Parsing DER payload can cause memory exhaustion in encoding/asn1"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4010", "name": "stdlib: GO-2025-4010", "shortDescription": {"text": "stdlib: GO-2025-4010"}, "fullDescription": {"text": "Insufficient validation of bracketed IPv6 hostnames in net/url"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4009", "name": "stdlib: GO-2025-4009", "shortDescription": {"text": "stdlib: GO-2025-4009"}, "fullDescription": {"text": "Quadratic complexity when parsing some invalid inputs in encoding/pem"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4008", "name": "stdlib: GO-2025-4008", "shortDescription": {"text": "stdlib: GO-2025-4008"}, "fullDescription": {"text": "ALPN negotiation error contains attacker controlled information in crypto/tls"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4007", "name": "stdlib: GO-2025-4007", "shortDescription": {"text": "stdlib: GO-2025-4007"}, "fullDescription": {"text": "Quadratic complexity when checking name constraints in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4006", "name": "stdlib: GO-2025-4006", "shortDescription": {"text": "stdlib: GO-2025-4006"}, "fullDescription": {"text": "Excessive CPU consumption in ParseAddress in net/mail"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5030", "name": "golang.org/x/net: GO-2026-5030", "shortDescription": {"text": "golang.org/x/net: GO-2026-5030"}, "fullDescription": {"text": "Invoking duplicate attributes can cause XSS in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5029", "name": "golang.org/x/net: GO-2026-5029", "shortDescription": {"text": "golang.org/x/net: GO-2026-5029"}, "fullDescription": {"text": "Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5028", "name": "golang.org/x/net: GO-2026-5028", "shortDescription": {"text": "golang.org/x/net: GO-2026-5028"}, "fullDescription": {"text": "Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5027", "name": "golang.org/x/net: GO-2026-5027", "shortDescription": {"text": "golang.org/x/net: GO-2026-5027"}, "fullDescription": {"text": "Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5026", "name": "golang.org/x/net: GO-2026-5026", "shortDescription": {"text": "golang.org/x/net: GO-2026-5026"}, "fullDescription": {"text": "Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5025", "name": "golang.org/x/net: GO-2026-5025", "shortDescription": {"text": "golang.org/x/net: GO-2026-5025"}, "fullDescription": {"text": "Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5032", "name": "golang.org/x/image: GO-2026-5032", "shortDescription": {"text": "golang.org/x/image: GO-2026-5032"}, "fullDescription": {"text": "Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5031", "name": "golang.org/x/image: GO-2026-5031", "shortDescription": {"text": "golang.org/x/image: GO-2026-5031"}, "fullDescription": {"text": "Panic when reading out of bound palette index in golang.org/x/image/bmp"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4962", "name": "golang.org/x/image: GO-2026-4962", "shortDescription": {"text": "golang.org/x/image: GO-2026-4962"}, "fullDescription": {"text": "Excessive memory allocation when decoding malicious SFNT in golang.org/x/image"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4961", "name": "golang.org/x/image: GO-2026-4961", "shortDescription": {"text": "golang.org/x/image: GO-2026-4961"}, "fullDescription": {"text": "Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4815", "name": "golang.org/x/image: GO-2026-4815", "shortDescription": {"text": "golang.org/x/image: GO-2026-4815"}, "fullDescription": {"text": "OOM from malicious IFD offset in golang.org/x/image/tiff"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5033", "name": "golang.org/x/crypto: GO-2026-5033", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5033"}, "fullDescription": {"text": "Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5023", "name": "golang.org/x/crypto: GO-2026-5023", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5023"}, "fullDescription": {"text": "Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5021", "name": "golang.org/x/crypto: GO-2026-5021", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5021"}, "fullDescription": {"text": "Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5020", "name": "golang.org/x/crypto: GO-2026-5020", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5020"}, "fullDescription": {"text": "Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5019", "name": "golang.org/x/crypto: GO-2026-5019", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5019"}, "fullDescription": {"text": "Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5018", "name": "golang.org/x/crypto: GO-2026-5018", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5018"}, "fullDescription": {"text": "Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5017", "name": "golang.org/x/crypto: GO-2026-5017", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5017"}, "fullDescription": {"text": "Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5016", "name": "golang.org/x/crypto: GO-2026-5016", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5016"}, "fullDescription": {"text": "Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5015", "name": "golang.org/x/crypto: GO-2026-5015", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5015"}, "fullDescription": {"text": "Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5014", "name": "golang.org/x/crypto: GO-2026-5014", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5014"}, "fullDescription": {"text": "Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5013", "name": "golang.org/x/crypto: GO-2026-5013", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5013"}, "fullDescription": {"text": "Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5006", "name": "golang.org/x/crypto: GO-2026-5006", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5006"}, "fullDescription": {"text": "Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5005", "name": "golang.org/x/crypto: GO-2026-5005", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5005"}, "fullDescription": {"text": "Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hfvc-g4fc-pqhx", "name": "go.opentelemetry.io/otel/sdk: GHSA-hfvc-g4fc-pqhx", "shortDescription": {"text": "go.opentelemetry.io/otel/sdk: GHSA-hfvc-g4fc-pqhx"}, "fullDescription": {"text": "opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4394", "name": "go.opentelemetry.io/otel/sdk: GO-2026-4394", "shortDescription": {"text": "go.opentelemetry.io/otel/sdk: GO-2026-4394"}, "fullDescription": {"text": "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4985", "name": "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: GO-2026-4985", "shortDescription": {"text": "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: GO-2026-4985"}, "fullDescription": {"text": "Oversized OTLP HTTP response bodies can cause memory exhaustion in go.opentelemetry.io/otel/exporters/otlp"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mh2q-q3fh-2475", "name": "go.opentelemetry.io/otel: GHSA-mh2q-q3fh-2475", "shortDescription": {"text": "go.opentelemetry.io/otel: GHSA-mh2q-q3fh-2475"}, "fullDescription": {"text": "OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3748", "name": "github.com/pion/interceptor: GO-2025-3748", "shortDescription": {"text": "github.com/pion/interceptor: GO-2025-3748"}, "fullDescription": {"text": "Pion Interceptor's improper RTP padding handling allows remote crash for SFU users (DoS) in github.com/pion/interceptor"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4771", "name": "github.com/jackc/pgx/v5: GO-2026-4771", "shortDescription": {"text": "github.com/jackc/pgx/v5: GO-2026-4771"}, "fullDescription": {"text": "CVE-2026-33815 in github.com/jackc/pgx"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3900", "name": "github.com/go-viper/mapstructure/v2: GO-2025-3900", "shortDescription": {"text": "github.com/go-viper/mapstructure/v2: GO-2025-3900"}, "fullDescription": {"text": "Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3787", "name": "github.com/go-viper/mapstructure/v2: GO-2025-3787", "shortDescription": {"text": "github.com/go-viper/mapstructure/v2: GO-2025-3787"}, "fullDescription": {"text": "May leak sensitive information in logs when processing malformed data in github.com/go-viper/mapstructure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4945", "name": "github.com/go-jose/go-jose/v4: GO-2026-4945", "shortDescription": {"text": "github.com/go-jose/go-jose/v4: GO-2026-4945"}, "fullDescription": {"text": "Go JOSE Panics in JWE decryption in github.com/go-jose/go-jose"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-389r-gv7p-r3rp", "name": "github.com/go-git/go-git/v5: GHSA-389r-gv7p-r3rp", "shortDescription": {"text": "github.com/go-git/go-git/v5: GHSA-389r-gv7p-r3rp"}, "fullDescription": {"text": "go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4910", "name": "github.com/go-git/go-git/v5: GO-2026-4910", "shortDescription": {"text": "github.com/go-git/go-git/v5: GO-2026-4910"}, "fullDescription": {"text": "Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4909", "name": "github.com/go-git/go-git/v5: GO-2026-4909", "shortDescription": {"text": "github.com/go-git/go-git/v5: GO-2026-4909"}, "fullDescription": {"text": "Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4473", "name": "github.com/go-git/go-git/v5: GO-2026-4473", "shortDescription": {"text": "github.com/go-git/go-git/v5: GO-2026-4473"}, "fullDescription": {"text": "Improper verification of data integrity values for .idx and .pack files in github.com/go-git/go-git"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3367", "name": "github.com/go-git/go-git/v5: GO-2025-3367", "shortDescription": {"text": "github.com/go-git/go-git/v5: GO-2025-3367"}, "fullDescription": {"text": "Clients vulnerable to DoS via maliciously crafted Git server replies in github.com/go-git/go-git"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qw64-3x98-g7q2", "name": "github.com/go-git/go-billy/v5: GHSA-qw64-3x98-g7q2", "shortDescription": {"text": "github.com/go-git/go-billy/v5: GHSA-qw64-3x98-g7q2"}, "fullDescription": {"text": "go-billy has path traversal vulnerabilities"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3533", "name": "github.com/getkin/kin-openapi: GO-2025-3533", "shortDescription": {"text": "github.com/getkin/kin-openapi: GO-2025-3533"}, "fullDescription": {"text": "Improper Handling of Highly Compressed Data (Data Amplification) in github.com/getkin/kin-openapi/openapi3filter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4511", "name": "github.com/ethereum/go-ethereum: GO-2026-4511", "shortDescription": {"text": "github.com/ethereum/go-ethereum: GO-2026-4511"}, "fullDescription": {"text": "Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake in github.com/ethereum/go-ethereum"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4508", "name": "github.com/ethereum/go-ethereum: GO-2026-4508", "shortDescription": {"text": "github.com/ethereum/go-ethereum: GO-2026-4508"}, "fullDescription": {"text": "Go Ethereum affected by DoS via malicious p2p message in github.com/ethereum/go-ethereum"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4507", "name": "github.com/ethereum/go-ethereum: GO-2026-4507", "shortDescription": {"text": "github.com/ethereum/go-ethereum: GO-2026-4507"}, "fullDescription": {"text": "Go Ethereum affected by crash via malicious p2p message in github.com/ethereum/go-ethereum"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4315", "name": "github.com/ethereum/go-ethereum: GO-2026-4315", "shortDescription": {"text": "github.com/ethereum/go-ethereum: GO-2026-4315"}, "fullDescription": {"text": "DoS via malicious p2p message affecting a vulnerable node in github.com/ethereum/go-ethereum"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4314", "name": "github.com/ethereum/go-ethereum: GO-2026-4314", "shortDescription": {"text": "github.com/ethereum/go-ethereum: GO-2026-4314"}, "fullDescription": {"text": "High CPU usage leading to DoS via malicious p2p message in github.com/ethereum/go-ethereum"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x86f-5xw2-fm2r", "name": "github.com/docker/docker: GHSA-x86f-5xw2-fm2r", "shortDescription": {"text": "github.com/docker/docker: GHSA-x86f-5xw2-fm2r"}, "fullDescription": {"text": "Docker: `PUT /containers/{id}/archive` executes container binary on the host"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rg2x-37c3-w2rh", "name": "github.com/docker/docker: GHSA-rg2x-37c3-w2rh", "shortDescription": {"text": "github.com/docker/docker: GHSA-rg2x-37c3-w2rh"}, "fullDescription": {"text": "Docker: Race condition in docker cp allows bind mount redirection to host path"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4887", "name": "github.com/docker/docker: GO-2026-4887", "shortDescription": {"text": "github.com/docker/docker: GO-2026-4887"}, "fullDescription": {"text": "Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4883", "name": "github.com/docker/docker: GO-2026-4883", "shortDescription": {"text": "github.com/docker/docker: GO-2026-4883"}, "fullDescription": {"text": "Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4610", "name": "github.com/docker/cli: GO-2026-4610", "shortDescription": {"text": "github.com/docker/cli: GO-2026-4610"}, "fullDescription": {"text": "Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-4087", "name": "github.com/consensys/gnark-crypto: GO-2025-4087", "shortDescription": {"text": "github.com/consensys/gnark-crypto: GO-2025-4087"}, "fullDescription": {"text": "Unchecked memory allocation during vector deserialization in github.com/consensys/gnark-crypto"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4550", "name": "github.com/cloudflare/circl: GO-2026-4550", "shortDescription": {"text": "github.com/cloudflare/circl: GO-2026-4550"}, "fullDescription": {"text": "CIRCL has an incorrect calculation in secp384r1 CombinedMult in github.com/cloudflare/circl"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2025-3754", "name": "github.com/cloudflare/circl: GO-2025-3754", "shortDescription": {"text": "github.com/cloudflare/circl: GO-2025-3754"}, "fullDescription": {"text": "CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2022-0646", "name": "github.com/aws/aws-sdk-go: GO-2022-0646", "shortDescription": {"text": "github.com/aws/aws-sdk-go: GO-2022-0646"}, "fullDescription": {"text": "CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2022-0635", "name": "github.com/aws/aws-sdk-go: GO-2022-0635", "shortDescription": {"text": "github.com/aws/aws-sdk-go: GO-2022-0635"}, "fullDescription": {"text": "In-band key negotiation issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4503", "name": "filippo.io/edwards25519: GO-2026-4503", "shortDescription": {"text": "filippo.io/edwards25519: GO-2026-4503"}, "fullDescription": {"text": "Invalid result or undefined behavior in filippo.io/edwards25519"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2021-0127", "name": "serde_cbor: RUSTSEC-2021-0127", "shortDescription": {"text": "serde_cbor: RUSTSEC-2021-0127"}, "fullDescription": {"text": "serde_cbor is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0134", "name": "rustls-pemfile: RUSTSEC-2025-0134", "shortDescription": {"text": "rustls-pemfile: RUSTSEC-2025-0134"}, "fullDescription": {"text": "rustls-pemfile is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2023-0071", "name": "rsa: RUSTSEC-2023-0071", "shortDescription": {"text": "rsa: RUSTSEC-2023-0071"}, "fullDescription": {"text": "Marvin Attack: potential key recovery through timing sidechannels"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0370", "name": "proc-macro-error: RUSTSEC-2024-0370", "shortDescription": {"text": "proc-macro-error: RUSTSEC-2024-0370"}, "fullDescription": {"text": "proc-macro-error is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0058", "name": "custom_derive: RUSTSEC-2025-0058", "shortDescription": {"text": "custom_derive: RUSTSEC-2025-0058"}, "fullDescription": {"text": "custom_derive crate is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC092", "name": "[SEC092] Go: SQL via fmt.Sprintf or string concat: SQL query constructed via Sprintf or `+` enables SQL injection. Porte", "shortDescription": {"text": "[SEC092] Go: SQL via fmt.Sprintf or string concat: SQL query constructed via Sprintf or `+` enables SQL injection. Ported from gosec G201 / G202 (Apache-2.0)."}, "fullDescription": {"text": "Use placeholders: `db.Query(\"SELECT ... WHERE id = ?\", userID)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.", "shortDescription": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded dir", "shortDescription": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `golangci/golangci-lint-action` pinned to mutable ref `@v8`", "shortDescription": {"text": "Action `golangci/golangci-lint-action` pinned to mutable ref `@v8`"}, "fullDescription": {"text": "`uses: golangci/golangci-lint-action@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "package.json dep `react-native-webrtc` pulled from URL/Git", "shortDescription": {"text": "package.json dep `react-native-webrtc` pulled from URL/Git"}, "fullDescription": {"text": "`dependencies.react-native-webrtc` = `git+https://github.com/streamplace/react-native-webrtc.git#74fa32266e3a2fee180f5e01bb8753af2a92d9d3` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `ubuntu:24.04` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `ubuntu:24.04` not pinned by digest"}, "fullDescription": {"text": "`FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED128", "name": "go.mod replaces `github.com/bluesky-social/indigo` \u2014 redirects to fork `github.com/streamplace/indigo`", "shortDescription": {"text": "go.mod replaces `github.com/bluesky-social/indigo` \u2014 redirects to fork `github.com/streamplace/indigo`"}, "fullDescription": {"text": "`replace github.com/bluesky-social/indigo => github.com/streamplace/indigo` overrides the canonical dependency with a different source (redirects to fork `github.com/streamplace/indigo`). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-xq3m-2v4x-88gg", "name": "protobufjs: GHSA-xq3m-2v4x-88gg", "shortDescription": {"text": "protobufjs: GHSA-xq3m-2v4x-88gg"}, "fullDescription": {"text": "Arbitrary code execution in protobufjs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2w6w-674q-4c4q", "name": "handlebars: GHSA-2w6w-674q-4c4q", "shortDescription": {"text": "handlebars: GHSA-2w6w-674q-4c4q"}, "fullDescription": {"text": "Handlebars.js has JavaScript Injection via AST Type Confusion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m7jm-9gc2-mpf2", "name": "fast-xml-parser: GHSA-m7jm-9gc2-mpf2", "shortDescription": {"text": "fast-xml-parser: GHSA-m7jm-9gc2-mpf2"}, "fullDescription": {"text": "fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p77j-4mvh-x3m3", "name": "google.golang.org/grpc: GHSA-p77j-4mvh-x3m3", "shortDescription": {"text": "google.golang.org/grpc: GHSA-p77j-4mvh-x3m3"}, "fullDescription": {"text": "gRPC-Go has an authorization bypass via missing leading slash in :path"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9jj7-4m8r-rfcm", "name": "github.com/jackc/pgx/v5: GHSA-9jj7-4m8r-rfcm", "shortDescription": {"text": "github.com/jackc/pgx/v5: GHSA-9jj7-4m8r-rfcm"}, "fullDescription": {"text": "Memory-safety vulnerability in github.com/jackc/pgx/v5."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v725-9546-7q7m", "name": "github.com/go-git/go-git/v5: GHSA-v725-9546-7q7m", "shortDescription": {"text": "github.com/go-git/go-git/v5: GHSA-v725-9546-7q7m"}, "fullDescription": {"text": "go-git has an Argument Injection via the URL field"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "private-key", "name": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.", "shortDescription": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "gcp-api-key", "name": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.", "shortDescription": {"text": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1132"}, "properties": {"repository": "streamplace/streamplace", "repoUrl": "https://github.com/streamplace/streamplace", "branch": "next"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 112284, "scanner": "repobility-journey-contract", "fingerprint": "0fe9243d4d0d30c360db550691683d43a35b0c5de17a8f0b3d44a9c5a76cf991", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/playback", "correlation_key": "fp|0fe9243d4d0d30c360db550691683d43a35b0c5de17a8f0b3d44a9c5a76cf991", "backend_endpoint_count": 272}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/chat/teleport-modal.tsx"}, "region": {"startLine": 168}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 112283, "scanner": "repobility-journey-contract", "fingerprint": "872f8402171fe73e9ea50b2f842ccfeb7c30e150f3ebe8c6e00fb67b09c2df17", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/playback", "correlation_key": "fp|872f8402171fe73e9ea50b2f842ccfeb7c30e150f3ebe8c6e00fb67b09c2df17", "backend_endpoint_count": 272}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/live-dashboard/stream-monitor.tsx"}, "region": {"startLine": 96}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.media.getVideoList."}, "properties": {"repobilityId": 112282, "scanner": "repobility-access-control", "fingerprint": "1698730d5c5208a6f5c1ed252de5d2677a5ed7bfcc36d97852765b82675924f4", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/xrpc/place.stream.media.getVideoList", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/spxrpc/stubs.go|310|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/spxrpc/stubs.go"}, "region": {"startLine": 310}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.game.getGame."}, "properties": {"repobilityId": 112281, "scanner": "repobility-access-control", "fingerprint": "8c4ad79ad946b2756957f613ad1c110f54618c7decac2f219be357212b95fb1d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/xrpc/place.stream.game.getGame", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/spxrpc/stubs.go|294|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/spxrpc/stubs.go"}, "region": {"startLine": 294}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.config.getEnv."}, "properties": {"repobilityId": 112280, "scanner": "repobility-access-control", "fingerprint": "d948dc9ffb9cfa5049a4281a5ad9623062755cdf68f0410171c7a902fabfd1a9", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/xrpc/place.stream.config.getEnv", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/spxrpc/stubs.go|293|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/spxrpc/stubs.go"}, "region": {"startLine": 293}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.broadcast.getBroadcaster."}, "properties": {"repobilityId": 112279, "scanner": "repobility-access-control", "fingerprint": "9066e2f02705c54c066b550b9ba754019c5095067a14b484cfa380ce4afb99ea", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/xrpc/place.stream.broadcast.getBroadcaster", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/spxrpc/stubs.go|292|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/spxrpc/stubs.go"}, "region": {"startLine": 292}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /xrpc/place.stream.branding.updateBlob."}, "properties": {"repobilityId": 112278, "scanner": "repobility-access-control", "fingerprint": "5073819da98bba29ea491292c7e47ad456ca9d97df510e1d8d69ac77f915189c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/xrpc/place.stream.branding.updateBlob", "method": "POST", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/spxrpc/stubs.go|291|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/spxrpc/stubs.go"}, "region": {"startLine": 291}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.branding.getBranding."}, "properties": {"repobilityId": 112277, "scanner": "repobility-access-control", "fingerprint": "2cd5f88c0839c11c553747b650e66a40bf6f5a8b31357f369a7cddd6d46cd0d0", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/xrpc/place.stream.branding.getBranding", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/spxrpc/stubs.go|290|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/spxrpc/stubs.go"}, "region": {"startLine": 290}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.branding.getBlob."}, "properties": {"repobilityId": 112276, "scanner": "repobility-access-control", "fingerprint": "6e026e925e5d02f2f6d018e7052462cbb376e2190176ee990477c122c417d0fb", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/xrpc/place.stream.branding.getBlob", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/spxrpc/stubs.go|289|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/spxrpc/stubs.go"}, "region": {"startLine": 289}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /xrpc/place.stream.branding.deleteBlob."}, "properties": {"repobilityId": 112275, "scanner": "repobility-access-control", "fingerprint": "0bda95c950c209c83dbc423b5bbb5bdf521a3d0c9a977e896e4e83347701329c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/xrpc/place.stream.branding.deleteBlob", "method": "POST", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/spxrpc/stubs.go|288|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/spxrpc/stubs.go"}, "region": {"startLine": 288}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.badge.getValidBadges."}, "properties": {"repobilityId": 112274, "scanner": "repobility-access-control", "fingerprint": "fe9ee4e65b624156d51bac05d4c8d41fb78d3193e0801657e6e276fc1bd9cee9", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/xrpc/place.stream.badge.getValidBadges", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/spxrpc/stubs.go|286|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/spxrpc/stubs.go"}, "region": {"startLine": 286}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /xrpc/place.stream.badge.getIssuedBadges."}, "properties": {"repobilityId": 112273, "scanner": "repobility-access-control", "fingerprint": "fe42595c24d55674770a0ec588a2e32e422fe1dc0c7c50f63fc8048c24ee5cba", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/xrpc/place.stream.badge.getIssuedBadges", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/spxrpc/stubs.go|285|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/spxrpc/stubs.go"}, "region": {"startLine": 285}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /Authorization."}, "properties": {"repobilityId": 112272, "scanner": "repobility-access-control", "fingerprint": "6435623ca142464672df96cfd70ecc100d6ee1a321343530ab71aad581e959b5", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Authorization", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/upload/upload.go|351|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/upload/upload.go"}, "region": {"startLine": 351}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /settings/:id."}, "properties": {"repobilityId": 112271, "scanner": "repobility-access-control", "fingerprint": "22751ba2eb73eda3009729acfc3f1bed081c15f37da1923ff779e9e6c01f13de", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings/:id", "method": "PUT", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/api/api_internal.go|487|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/api_internal.go"}, "region": {"startLine": 487}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /http-pipe/:uuid."}, "properties": {"repobilityId": 112270, "scanner": "repobility-access-control", "fingerprint": "83205875f768c3be6513970223f4c26c8aebbed75c0660a91539e7778c05701b", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/http-pipe/:uuid", "method": "POST", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/api/api_internal.go|194|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/api_internal.go"}, "region": {"startLine": 194}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 10.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 112263, "scanner": "repobility-access-control", "fingerprint": "e34fb424d4da76b62193751697cf05d27be0e3ac6417f5f57c6e2d7b11b12e7b", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 272, "correlation_key": "fp|e34fb424d4da76b62193751697cf05d27be0e3ac6417f5f57c6e2d7b11b12e7b", "auth_visible_percent": 10.3}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 112262, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Echo", "GraphQL", "Chi"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 112244, "scanner": "osv-scanner", "fingerprint": "50bb42596af5c9f077010621340b47a31a4c2078f9d0e01ee2b787647b74301a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 112243, "scanner": "osv-scanner", "fingerprint": "d698c0969dae25e950d4f8b65b021df28bdeb91476dcc255cdcc9ca9ba3ee73e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9jgg-88mc-972h", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-9jgg-88mc-972h"}, "properties": {"repobilityId": 112242, "scanner": "osv-scanner", "fingerprint": "2058e0841f8e55a21d21b12194f8d27e99c57090ef4921cf0366699e34ed92e8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-30360"], "package": "webpack-dev-server", "rule_id": "GHSA-9jgg-88mc-972h", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2025-30360|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-79cf-xcqc-c78w", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-79cf-xcqc-c78w"}, "properties": {"repobilityId": 112241, "scanner": "osv-scanner", "fingerprint": "bf17a1b8032e08e83dd69d78b623ced845743d9cdd4b2f534bd150c450160d90", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6402"], "package": "webpack-dev-server", "rule_id": "GHSA-79cf-xcqc-c78w", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2026-6402|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4v9v-hfq4-rm2v", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-4v9v-hfq4-rm2v"}, "properties": {"repobilityId": 112240, "scanner": "osv-scanner", "fingerprint": "bad564efe556f5e9874abc9f9973628c4b13601dd518627d1dbca7909481552d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-30359"], "package": "webpack-dev-server", "rule_id": "GHSA-4v9v-hfq4-rm2v", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2025-30359|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 112236, "scanner": "osv-scanner", "fingerprint": "a2c12e2b28152cf8b2318c26eb42f38e3894a8280e15146de8ce046c997d7d89", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 112235, "scanner": "osv-scanner", "fingerprint": "fdef028f4a816ff49a3feddc8fea57767b8bd7a5285d824fe826196183701971", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g9mf-h72j-4rw9", "level": "warning", "message": {"text": "undici: GHSA-g9mf-h72j-4rw9"}, "properties": {"repobilityId": 112234, "scanner": "osv-scanner", "fingerprint": "783888cf99ccdd193a6bbf5808eb99a946b0897c275ba28a7321371df70feae9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-22036"], "package": "undici", "rule_id": "GHSA-g9mf-h72j-4rw9", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-22036|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4992-7rv2-5pvq", "level": "warning", "message": {"text": "undici: GHSA-4992-7rv2-5pvq"}, "properties": {"repobilityId": 112230, "scanner": "osv-scanner", "fingerprint": "8115727bfcf9fb5c733f94951b6c76b53101eaf392c34bbf2e4981a84489f899", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1527"], "package": "undici", "rule_id": "GHSA-4992-7rv2-5pvq", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1527|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2mjp-6q6p-2qxm", "level": "warning", "message": {"text": "undici: GHSA-2mjp-6q6p-2qxm"}, "properties": {"repobilityId": 112229, "scanner": "osv-scanner", "fingerprint": "27feada98ab5f326c7254750f715731608e011901400f45934a064cef0424d39", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1525"], "package": "undici", "rule_id": "GHSA-2mjp-6q6p-2qxm", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1525|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v3rj-xjv7-4jmq", "level": "warning", "message": {"text": "smol-toml: GHSA-v3rj-xjv7-4jmq"}, "properties": {"repobilityId": 112218, "scanner": "osv-scanner", "fingerprint": "cd040272d36f524e718de07acee7ce54502019f7f8a2101c74f4a12389702c8c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "smol-toml", "rule_id": "GHSA-v3rj-xjv7-4jmq", "scanner": "osv-scanner", "correlation_key": "vuln|smol-toml|GHSA-V3RJ-XJV7-4JMQ|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qj8w-gfj5-8c6v", "level": "warning", "message": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "properties": {"repobilityId": 112217, "scanner": "osv-scanner", "fingerprint": "e5adc7b8147d0f39d78debfb9b91e31cc337ef1e8ecd400a17dea5cbe1b23197", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34043"], "package": "serialize-javascript", "rule_id": "GHSA-qj8w-gfj5-8c6v", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2026-34043|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 112213, "scanner": "osv-scanner", "fingerprint": "0727364e57c088dabd2840fd21980edb99b147969b7db2965e7188703dcea5f1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6rw7-vpxm-498p", "level": "warning", "message": {"text": "qs: GHSA-6rw7-vpxm-498p"}, "properties": {"repobilityId": 112212, "scanner": "osv-scanner", "fingerprint": "6d22fb6d155cd92273923764c4a42ac64c943a3e96e9afc41e845a7b5d2f24b9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-15284"], "package": "qs", "rule_id": "GHSA-6rw7-vpxm-498p", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2025-15284|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q6x5-8v7m-xcrf", "level": "warning", "message": {"text": "protobufjs: GHSA-q6x5-8v7m-xcrf"}, "properties": {"repobilityId": 112210, "scanner": "osv-scanner", "fingerprint": "b33b79b9fd59696cb77135929c6310e23f3a0a6c87ae9168d2d9b3da75d1a04c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44288"], "package": "protobufjs", "rule_id": "GHSA-q6x5-8v7m-xcrf", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44288|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jggg-4jg4-v7c6", "level": "warning", "message": {"text": "protobufjs: GHSA-jggg-4jg4-v7c6"}, "properties": {"repobilityId": 112208, "scanner": "osv-scanner", "fingerprint": "0664e00c888b84ac96a0b8a56d84d5cd748a252430672c53387339c342017e33", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45740"], "package": "protobufjs", "rule_id": "GHSA-jggg-4jg4-v7c6", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-45740|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fx83-v9x8-x52w", "level": "warning", "message": {"text": "protobufjs: GHSA-fx83-v9x8-x52w"}, "properties": {"repobilityId": 112207, "scanner": "osv-scanner", "fingerprint": "0ad003d1cc4016716b428cda485455c497f4cc5289489ada690c9ab0efc3e45b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44292"], "package": "protobufjs", "rule_id": "GHSA-fx83-v9x8-x52w", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44292|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2pr8-phx7-x9h3", "level": "warning", "message": {"text": "protobufjs: GHSA-2pr8-phx7-x9h3"}, "properties": {"repobilityId": 112203, "scanner": "osv-scanner", "fingerprint": "5da42f8ba9e9360d2afb80e2f8025fce28f6ece32ae33683a7d45627612a4958", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44294"], "package": "protobufjs", "rule_id": "GHSA-2pr8-phx7-x9h3", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44294|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 112202, "scanner": "osv-scanner", "fingerprint": "0b1dff5c952a767b7990e67b0d60cc580116a9b63b14cf0d44b920a59028efbf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 112200, "scanner": "osv-scanner", "fingerprint": "d9d26d972991fffb51a1613b08ac1e8e722be1c10191fb43cced54b770250e8d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vvjj-xcjg-gr5g", "level": "warning", "message": {"text": "nodemailer: GHSA-vvjj-xcjg-gr5g"}, "properties": {"repobilityId": 112196, "scanner": "osv-scanner", "fingerprint": "6fce37998bb8f8a25c4d5f94b986e6b63c1d5fbd55d109cdc4733bf0dffd817f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "nodemailer", "rule_id": "GHSA-vvjj-xcjg-gr5g", "scanner": "osv-scanner", "correlation_key": "vuln|nodemailer|GHSA-VVJJ-XCJG-GR5G|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mm7p-fcc7-pg87", "level": "warning", "message": {"text": "nodemailer: GHSA-mm7p-fcc7-pg87"}, "properties": {"repobilityId": 112194, "scanner": "osv-scanner", "fingerprint": "b0a64e573c33cab0bf893a5c1b203bd854fefff4a9d20792f446271f437751fe", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13033"], "package": "nodemailer", "rule_id": "GHSA-mm7p-fcc7-pg87", "scanner": "osv-scanner", "correlation_key": "vuln|nodemailer|CVE-2025-13033|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65ch-62r8-g69g", "level": "warning", "message": {"text": "node-forge: GHSA-65ch-62r8-g69g"}, "properties": {"repobilityId": 112190, "scanner": "osv-scanner", "fingerprint": "7ae3cf73266e9f04815d7265db86772c37f224fb8fd8cfab836e3620a2ca8501", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66030"], "package": "node-forge", "rule_id": "GHSA-65ch-62r8-g69g", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-66030|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4fh9-h7wg-q85m", "level": "warning", "message": {"text": "mdast-util-to-hast: GHSA-4fh9-h7wg-q85m"}, "properties": {"repobilityId": 112182, "scanner": "osv-scanner", "fingerprint": "039e2b36672f18dbf9d417665e7f3212fd1a283e5ef0c85f75995c2c417b7e4e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66400"], "package": "mdast-util-to-hast", "rule_id": "GHSA-4fh9-h7wg-q85m", "scanner": "osv-scanner", "correlation_key": "vuln|mdast-util-to-hast|CVE-2025-66400|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6vfc-qv3f-vr6c", "level": "warning", "message": {"text": "markdown-it: GHSA-6vfc-qv3f-vr6c"}, "properties": {"repobilityId": 112181, "scanner": "osv-scanner", "fingerprint": "2f9cca2163d6371fa9083ba96232a4640a76799c11725b4b0318091b01a94e06", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-21670"], "package": "markdown-it", "rule_id": "GHSA-6vfc-qv3f-vr6c", "scanner": "osv-scanner", "correlation_key": "vuln|markdown-it|CVE-2022-21670|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 112180, "scanner": "osv-scanner", "fingerprint": "75f1cf8ff29d8d132d579513aad4027dbb5a93646863d8e7bc0c89343d3402ef", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 112178, "scanner": "osv-scanner", "fingerprint": "529a8e201067f66e4bcd0d6408bc6eece689220a5a65ec65438a230ab5b7cf66", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh29-5h37-fv8m", "level": "warning", "message": {"text": "js-yaml: GHSA-mh29-5h37-fv8m"}, "properties": {"repobilityId": 112175, "scanner": "osv-scanner", "fingerprint": "e1f1eee28e3c43746c892494085b271496e4ce012a6f7a57876b5d7ed32ae261", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64718"], "package": "js-yaml", "rule_id": "GHSA-mh29-5h37-fv8m", "scanner": "osv-scanner", "correlation_key": "vuln|js-yaml|CVE-2025-64718|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2v4-37r5-5v8g", "level": "warning", "message": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "properties": {"repobilityId": 112174, "scanner": "osv-scanner", "fingerprint": "62020e206e8925629e9ce81503c184fb7740327a8f08e1c3e188f1738ecc7bb4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42338"], "package": "ip-address", "rule_id": "GHSA-v2v4-37r5-5v8g", "scanner": "osv-scanner", "correlation_key": "vuln|ip-address|CVE-2026-42338|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q89c-q3h5-w34g", "level": "warning", "message": {"text": "i18next-http-backend: GHSA-q89c-q3h5-w34g"}, "properties": {"repobilityId": 112172, "scanner": "osv-scanner", "fingerprint": "698bf98d8efa6b72c9f91bc0d982085d70c2870a99c9e8833bd0bd68ab100ed6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41691"], "package": "i18next-http-backend", "rule_id": "GHSA-q89c-q3h5-w34g", "scanner": "osv-scanner", "correlation_key": "vuln|i18next-http-backend|CVE-2026-41691|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9gqv-wp59-fq42", "level": "warning", "message": {"text": "http-proxy-middleware: GHSA-9gqv-wp59-fq42"}, "properties": {"repobilityId": 112170, "scanner": "osv-scanner", "fingerprint": "ca333b7def2de43fb65853c34054d47dfabe0257fd1539cd0ad0efaa2675769c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-32997"], "package": "http-proxy-middleware", "rule_id": "GHSA-9gqv-wp59-fq42", "scanner": "osv-scanner", "correlation_key": "vuln|http-proxy-middleware|CVE-2025-32997|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4www-5p9h-95mh", "level": "warning", "message": {"text": "http-proxy-middleware: GHSA-4www-5p9h-95mh"}, "properties": {"repobilityId": 112169, "scanner": "osv-scanner", "fingerprint": "7cfc5c114ac0625d7609b3088539dc7bbc03f40458dc4c5cc8e75e76b7ad4d0b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-32996"], "package": "http-proxy-middleware", "rule_id": "GHSA-4www-5p9h-95mh", "scanner": "osv-scanner", "correlation_key": "vuln|http-proxy-middleware|CVE-2025-32996|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7rx3-28cr-v5wh", "level": "warning", "message": {"text": "handlebars: GHSA-7rx3-28cr-v5wh"}, "properties": {"repobilityId": 112165, "scanner": "osv-scanner", "fingerprint": "85ba8a8c3bb4acc6a3459d169d64d4879013e992d499c9208de8ad7a36084a86", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "handlebars", "rule_id": "GHSA-7rx3-28cr-v5wh", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|GHSA-7RX3-28CR-V5WH|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2qvq-rjwj-gvw9", "level": "warning", "message": {"text": "handlebars: GHSA-2qvq-rjwj-gvw9"}, "properties": {"repobilityId": 112161, "scanner": "osv-scanner", "fingerprint": "17e1798d1dbb31c5c850819b4d7b3cd310a7dda9641e1eea682fb1e6564e4af8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33916"], "package": "handlebars", "rule_id": "GHSA-2qvq-rjwj-gvw9", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33916|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-72gr-qfp7-vwhw", "level": "warning", "message": {"text": "h3: GHSA-72gr-qfp7-vwhw"}, "properties": {"repobilityId": 112160, "scanner": "osv-scanner", "fingerprint": "eea7d839c75eca9557a6d264eb692c49a8e8ae12f6c86fd90e9d7a4084e34787", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "h3", "rule_id": "GHSA-72gr-qfp7-vwhw", "scanner": "osv-scanner", "correlation_key": "vuln|h3|GHSA-72GR-QFP7-VWHW|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4hxc-9384-m385", "level": "warning", "message": {"text": "h3: GHSA-4hxc-9384-m385"}, "properties": {"repobilityId": 112159, "scanner": "osv-scanner", "fingerprint": "5c1cf5e80cb781cf7fc04b7694988cddf9e3ac1c30d9d6c7344cf3712556c344", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "h3", "rule_id": "GHSA-4hxc-9384-m385", "scanner": "osv-scanner", "correlation_key": "vuln|h3|GHSA-4HXC-9384-M385|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r4q5-vmmm-2653", "level": "warning", "message": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "properties": {"repobilityId": 112157, "scanner": "osv-scanner", "fingerprint": "6f390e2ea2dc5e15147a7d495e55d42a4ae00467d7b3f2ca1cebb7aa445a73b9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "follow-redirects", "rule_id": "GHSA-r4q5-vmmm-2653", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|GHSA-R4Q5-VMMM-2653|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5v7r-6r5c-r473", "level": "warning", "message": {"text": "file-type: GHSA-5v7r-6r5c-r473"}, "properties": {"repobilityId": 112154, "scanner": "osv-scanner", "fingerprint": "b591c5d6f25bb4814185a58dc9243fbaa2653abb4aea668e8ef5d0c8f180e044", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-31808"], "package": "file-type", "rule_id": "GHSA-5v7r-6r5c-r473", "scanner": "osv-scanner", "correlation_key": "vuln|file-type|CVE-2026-31808|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jp2q-39xq-3w4g", "level": "warning", "message": {"text": "fast-xml-parser: GHSA-jp2q-39xq-3w4g"}, "properties": {"repobilityId": 112152, "scanner": "osv-scanner", "fingerprint": "1af445e3838603a8f4b9958ec59ad4eea551242cf22c0308f89fa61103a71acd", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33349"], "package": "fast-xml-parser", "rule_id": "GHSA-jp2q-39xq-3w4g", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-33349|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gh4j-gqv2-49f6", "level": "warning", "message": {"text": "fast-xml-parser: GHSA-gh4j-gqv2-49f6"}, "properties": {"repobilityId": 112151, "scanner": "osv-scanner", "fingerprint": "55c8ddf786242f8348f0e9bc58edaf2b984907cd428c9be51381737c1db7285a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41650"], "package": "fast-xml-parser", "rule_id": "GHSA-gh4j-gqv2-49f6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-41650|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xwr5-m59h-vwqr", "level": "warning", "message": {"text": "electron: GHSA-xwr5-m59h-vwqr"}, "properties": {"repobilityId": 112144, "scanner": "osv-scanner", "fingerprint": "9148fb480ee68e6f1efb73638472d391a64f1299884ca12aa93708f151ffadd3", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34775"], "package": "electron", "rule_id": "GHSA-xwr5-m59h-vwqr", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34775|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xj5x-m3f3-5x3h", "level": "warning", "message": {"text": "electron: GHSA-xj5x-m3f3-5x3h"}, "properties": {"repobilityId": 112143, "scanner": "osv-scanner", "fingerprint": "5cb6618ecc46ae4b9a9a4319e78f23b830a68b8f2e354c7b779d0e7141093e2d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34778"], "package": "electron", "rule_id": "GHSA-xj5x-m3f3-5x3h", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34778|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vmqv-hx8q-j7mg", "level": "warning", "message": {"text": "electron: GHSA-vmqv-hx8q-j7mg"}, "properties": {"repobilityId": 112142, "scanner": "osv-scanner", "fingerprint": "71e7f2bea12bc8d1f69c1a97722ae3b22aeebe521f48350887eb321ac5a97f27", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-55305"], "package": "electron", "rule_id": "GHSA-vmqv-hx8q-j7mg", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2025-55305|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5p7-gp4j-qhrx", "level": "warning", "message": {"text": "electron: GHSA-r5p7-gp4j-qhrx"}, "properties": {"repobilityId": 112141, "scanner": "osv-scanner", "fingerprint": "2e8fde414f4a9520dd7c03c4fd9983517d7e5868f4f83187d3f1f2d10c64145c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34777"], "package": "electron", "rule_id": "GHSA-r5p7-gp4j-qhrx", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34777|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mwmh-mq4g-g6gr", "level": "warning", "message": {"text": "electron: GHSA-mwmh-mq4g-g6gr"}, "properties": {"repobilityId": 112140, "scanner": "osv-scanner", "fingerprint": "21da2c06e466fcefc8086e291d96c34f643aa40e2d0ea5f70c1e2b27c90251a6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34773"], "package": "electron", "rule_id": "GHSA-mwmh-mq4g-g6gr", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34773|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f3pv-wv63-48x8", "level": "warning", "message": {"text": "electron: GHSA-f3pv-wv63-48x8"}, "properties": {"repobilityId": 112137, "scanner": "osv-scanner", "fingerprint": "fea664f38f51e467f735366dcd5d268cb22e2e6ef8605237b3e54c444d02e21a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34765"], "package": "electron", "rule_id": "GHSA-f3pv-wv63-48x8", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34765|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9w97-2464-8783", "level": "warning", "message": {"text": "electron: GHSA-9w97-2464-8783"}, "properties": {"repobilityId": 112134, "scanner": "osv-scanner", "fingerprint": "356645e4f5c0671abd458521d2848f53190eb90c5c0e67c61176a7ce50e6da5c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34772"], "package": "electron", "rule_id": "GHSA-9w97-2464-8783", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34772|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5rqw-r77c-jp79", "level": "warning", "message": {"text": "electron: GHSA-5rqw-r77c-jp79"}, "properties": {"repobilityId": 112130, "scanner": "osv-scanner", "fingerprint": "497bd95ea20d1851295af6f58e1d5251b22defef815f02f43c1fbf40fbaf35d0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34779"], "package": "electron", "rule_id": "GHSA-5rqw-r77c-jp79", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34779|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4p4r-m79c-wq3v", "level": "warning", "message": {"text": "electron: GHSA-4p4r-m79c-wq3v"}, "properties": {"repobilityId": 112128, "scanner": "osv-scanner", "fingerprint": "d7071cc77b0d2ee0b40e624f9eb125d4ea0dd0341d93f0f2e5ecb1a050a4ee87", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34767"], "package": "electron", "rule_id": "GHSA-4p4r-m79c-wq3v", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34767|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3c8v-cfp5-9885", "level": "warning", "message": {"text": "electron: GHSA-3c8v-cfp5-9885"}, "properties": {"repobilityId": 112127, "scanner": "osv-scanner", "fingerprint": "f53a4c4fb5d8fb87127074fd39822522a201b9139eaa24b73b428fbdb0ada224", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34776"], "package": "electron", "rule_id": "GHSA-3c8v-cfp5-9885", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34776|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 112121, "scanner": "osv-scanner", "fingerprint": "df9432682f1efa01d242974fb7d6c679d3a112195415b0ccdedda1d7decb9db5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 112119, "scanner": "osv-scanner", "fingerprint": "6ed3e11856b985dfd38b234bdeafe6eb9fdd6ace1789aa46a716324dba77d441", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xx6v-rp6x-q39c", "level": "warning", "message": {"text": "axios: GHSA-xx6v-rp6x-q39c"}, "properties": {"repobilityId": 112118, "scanner": "osv-scanner", "fingerprint": "f4d3c3e971d7c32a841a8e9d2274b919d584ebde00c287a5125977e4679b6d2d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42042"], "package": "axios", "rule_id": "GHSA-xx6v-rp6x-q39c", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42042|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w9j2-pvgh-6h63", "level": "warning", "message": {"text": "axios: GHSA-w9j2-pvgh-6h63"}, "properties": {"repobilityId": 112116, "scanner": "osv-scanner", "fingerprint": "aef4ea6bb9fe96970edb89df1c55d9328442cbb2c414e15426581c29b3bedf59", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42041"], "package": "axios", "rule_id": "GHSA-w9j2-pvgh-6h63", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42041|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vf2m-468p-8v99", "level": "warning", "message": {"text": "axios: GHSA-vf2m-468p-8v99"}, "properties": {"repobilityId": 112115, "scanner": "osv-scanner", "fingerprint": "a47bbf1de2621c9873c58bf61cf2c204783a954b09e8d45b85369186c7c69e26", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42036"], "package": "axios", "rule_id": "GHSA-vf2m-468p-8v99", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42036|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m7pr-hjqh-92cm", "level": "warning", "message": {"text": "axios: GHSA-m7pr-hjqh-92cm"}, "properties": {"repobilityId": 112111, "scanner": "osv-scanner", "fingerprint": "03d4415cb812368e8d2664c4c86ca75a3c61890e88ca76c80f41517bf7669472", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42038"], "package": "axios", "rule_id": "GHSA-m7pr-hjqh-92cm", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42038|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fvcv-3m26-pcqx", "level": "warning", "message": {"text": "axios: GHSA-fvcv-3m26-pcqx"}, "properties": {"repobilityId": 112108, "scanner": "osv-scanner", "fingerprint": "6fbc23ec83d856d901d25dadcdd98dd5cd74883327b0943a2bf510d4f9fa7c46", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-40175"], "package": "axios", "rule_id": "GHSA-fvcv-3m26-pcqx", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-40175|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-898c-q2cr-xwhg", "level": "warning", "message": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "properties": {"repobilityId": 112107, "scanner": "osv-scanner", "fingerprint": "910d37c8ab0a9f57c51541bccb64556608270912d3985e5a8f2de9867dc80925", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44490"], "package": "axios", "rule_id": "GHSA-898c-q2cr-xwhg", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44490|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-62hf-57xw-28j9", "level": "warning", "message": {"text": "axios: GHSA-62hf-57xw-28j9"}, "properties": {"repobilityId": 112104, "scanner": "osv-scanner", "fingerprint": "e3e69eb61e6bbd8b83d34773a4081c1394d54219655b834f554f2b965eaf1623", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42039"], "package": "axios", "rule_id": "GHSA-62hf-57xw-28j9", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42039|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c9x-8gcm-mpgx", "level": "warning", "message": {"text": "axios: GHSA-5c9x-8gcm-mpgx"}, "properties": {"repobilityId": 112103, "scanner": "osv-scanner", "fingerprint": "1abdff1fadfd9fcbb6b74f325b7aa939457126fb887d086666c3ebfc8ac20ccc", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42034"], "package": "axios", "rule_id": "GHSA-5c9x-8gcm-mpgx", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42034|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-445q-vr5w-6q77", "level": "warning", "message": {"text": "axios: GHSA-445q-vr5w-6q77"}, "properties": {"repobilityId": 112102, "scanner": "osv-scanner", "fingerprint": "0db634a898113ae16e2bd4144dfd4eb952edb9d68068ddd88f557973b18060db", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42037"], "package": "axios", "rule_id": "GHSA-445q-vr5w-6q77", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42037|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3w6x-2g7m-8v23", "level": "warning", "message": {"text": "axios: GHSA-3w6x-2g7m-8v23"}, "properties": {"repobilityId": 112101, "scanner": "osv-scanner", "fingerprint": "45fd17844151668e161c272e04ff12aa44bfa977c04e919a141551eabff14904", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42044"], "package": "axios", "rule_id": "GHSA-3w6x-2g7m-8v23", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42044|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j687-52p2-xcff", "level": "warning", "message": {"text": "astro: GHSA-j687-52p2-xcff"}, "properties": {"repobilityId": 112096, "scanner": "osv-scanner", "fingerprint": "874516653c410eb38ca2f89a22aaa3c4b19b9310eb38b9205d5f140f2f0e53f8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41067"], "package": "astro", "rule_id": "GHSA-j687-52p2-xcff", "scanner": "osv-scanner", "correlation_key": "vuln|astro|CVE-2026-41067|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q6x5-8v7m-xcrf", "level": "warning", "message": {"text": "@protobufjs/utf8: GHSA-q6x5-8v7m-xcrf"}, "properties": {"repobilityId": 112088, "scanner": "osv-scanner", "fingerprint": "b62fed364cd355ddef3ec7c6769e67069bf83d0dc793e36036cab5b49f69c743", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44288"], "package": "@protobufjs/utf8", "rule_id": "GHSA-q6x5-8v7m-xcrf", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs/utf8|CVE-2026-44288|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9f3f-wv7r-qc8r", "level": "warning", "message": {"text": "github.com/pion/dtls/v3: GHSA-9f3f-wv7r-qc8r"}, "properties": {"repobilityId": 112018, "scanner": "osv-scanner", "fingerprint": "470a281a82d9580c2f924efd572c6a6b1db91d7a63790edf69b79b111d394dcd", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26014", "GO-2026-4479"], "package": "github.com/pion/dtls/v3", "rule_id": "GHSA-9f3f-wv7r-qc8r", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/pion/dtls/v3|CVE-2026-26014|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w239-58x2-q8p5", "level": "warning", "message": {"text": "github.com/ipld/go-ipld-prime: GHSA-w239-58x2-q8p5"}, "properties": {"repobilityId": 112014, "scanner": "osv-scanner", "fingerprint": "9fbb90a78fccc8b249d7fffdf2ab519f499b8e82df7c41580e2972638e92d787", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42328"], "package": "github.com/ipld/go-ipld-prime", "rule_id": "GHSA-w239-58x2-q8p5", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-42328|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-378j-3jfj-8r9f", "level": "warning", "message": {"text": "github.com/ipld/go-ipld-prime: GHSA-378j-3jfj-8r9f"}, "properties": {"repobilityId": 112013, "scanner": "osv-scanner", "fingerprint": "89408535940ea05992bdf37c9f6b0bb2ba2ce652d4efa8d9fe49fd6cfb3a6e29", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-35480"], "package": "github.com/ipld/go-ipld-prime", "rule_id": "GHSA-378j-3jfj-8r9f", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-35480|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5pp-99ch-qj29", "level": "warning", "message": {"text": "github.com/go-git/go-git/v5: GHSA-w5pp-99ch-qj29"}, "properties": {"repobilityId": 112009, "scanner": "osv-scanner", "fingerprint": "9d0dddeaadacdcd777e3cb05ad0fe775266bd1404708a99ae35b0c84667bc449", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "github.com/go-git/go-git/v5", "rule_id": "GHSA-w5pp-99ch-qj29", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/go-git/go-git/v5|GHSA-W5PP-99CH-QJ29|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-crhj-59gh-8x96", "level": "warning", "message": {"text": "github.com/go-git/go-git/v5: GHSA-crhj-59gh-8x96"}, "properties": {"repobilityId": 112007, "scanner": "osv-scanner", "fingerprint": "14256c8641c5254e38b74bd8f5d6e901e7b367f536510854924fbbd8152c46e5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45571"], "package": "github.com/go-git/go-git/v5", "rule_id": "GHSA-crhj-59gh-8x96", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/go-git/go-git/v5|CVE-2026-45571|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3xc5-wrhm-f963", "level": "warning", "message": {"text": "github.com/go-git/go-git/v5: GHSA-3xc5-wrhm-f963"}, "properties": {"repobilityId": 112006, "scanner": "osv-scanner", "fingerprint": "2b6cde2b5dda3007a4d580625bbcfdec62fa8e1e5d615e41ed7ceb856dffef22", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41506"], "package": "github.com/go-git/go-git/v5", "rule_id": "GHSA-3xc5-wrhm-f963", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/go-git/go-git/v5|CVE-2026-41506|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m3xc-h892-ggx6", "level": "warning", "message": {"text": "github.com/go-git/go-billy/v5: GHSA-m3xc-h892-ggx6"}, "properties": {"repobilityId": 111998, "scanner": "osv-scanner", "fingerprint": "e645265bfff0fec510c98e73352c6014f7b0f2074eba44728880da5c8b7389f8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44740"], "package": "github.com/go-git/go-billy/v5", "rule_id": "GHSA-m3xc-h892-ggx6", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-44740|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vrw8-fxc6-2r93", "level": "warning", "message": {"text": "github.com/go-chi/chi/v5: GHSA-vrw8-fxc6-2r93"}, "properties": {"repobilityId": 111997, "scanner": "osv-scanner", "fingerprint": "c27fe7923854135b085a853fa8485a36c9772f344d9ca9e296bf84af34b92e54", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["GO-2025-3770"], "package": "github.com/go-chi/chi/v5", "rule_id": "GHSA-vrw8-fxc6-2r93", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/go-chi/chi/v5|GHSA-VRW8-FXC6-2R93|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vp62-88p7-qqf5", "level": "warning", "message": {"text": "github.com/docker/docker: GHSA-vp62-88p7-qqf5"}, "properties": {"repobilityId": 111989, "scanner": "osv-scanner", "fingerprint": "a2cc8f2d64539c219ee26c4a647a89c9f308802a8989fbee081e4ae88bb69abb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41568"], "package": "github.com/docker/docker", "rule_id": "GHSA-vp62-88p7-qqf5", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/docker/docker|CVE-2026-41568|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xmrv-pmrh-hhx2", "level": "warning", "message": {"text": "github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: GHSA-xmrv-pmrh-hhx2"}, "properties": {"repobilityId": 111980, "scanner": "osv-scanner", "fingerprint": "f1e2844729419a8429f615cc422b6ece896ca12c0ae83080f0c9dd8f1dd31675", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "package": "github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream", "rule_id": "GHSA-xmrv-pmrh-hhx2", "scanner": "osv-scanner", "correlation_key": "vuln|token|GHSA-XMRV-PMRH-HHX2|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-xmrv-pmrh-hhx2"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["31fd02558318856c0b39f05d594958b8cdba8ef1fff5d816f57d51f3e3d7e23c", "f1e2844729419a8429f615cc422b6ece896ca12c0ae83080f0c9dd8f1dd31675"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 111944, "scanner": "repobility-threat-engine", "fingerprint": "39c441dd8343345f26da08282a10a25ef1a41efb3448bfcfdce96c1224b08b43", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.1 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password=\"<redacted>\"", "reason": "Low entropy value (3.1 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|util/mac-codesign.sh|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "util/mac-codesign.sh"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 111940, "scanner": "repobility-threat-engine", "fingerprint": "d373f7c8aa9de1fd51b83155dd686c01f89521c140966372417c31f0c09dff93", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d373f7c8aa9de1fd51b83155dd686c01f89521c140966372417c31f0c09dff93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/src/c2pa.rs"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 111932, "scanner": "repobility-threat-engine", "fingerprint": "774f4a7da480e32bab1d203eca91137217c60c7549b228e094ef3f911f3503b4", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(w, s)\n\t\t\t\tdefault:\n\t\t\t\t\t_ = w.Flush()\n\t\t\t\t\t_ = fd.Close()\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t}\n\t\t}()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|774f4a7da480e32bab1d203eca91137217c60c7549b228e094ef3f911f3503b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/media/random_access_src.go"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 111916, "scanner": "repobility-threat-engine", "fingerprint": "bfebf9916f31c7fadd4a3bdf532295f71c22f74e6c3b714a4762d42c3085fb72", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(8),\n    mode: \"liv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bfebf9916f31c7fadd4a3bdf532295f71c22f74e6c3b714a4762d42c3085fb72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/player-store/player-store.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 111910, "scanner": "repobility-threat-engine", "fingerprint": "31d5df4528a18aed724a58f1d4bdba7bb852ad2a4428bd1deabfd82b3455cded", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (err) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|31d5df4528a18aed724a58f1d4bdba7bb852ad2a4428bd1deabfd82b3455cded"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/crypto-polyfill.native.tsx"}, "region": {"startLine": 7}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 111909, "scanner": "repobility-threat-engine", "fingerprint": "0a51846215e425a8b62674b570971c1f91d4330dd7250590aca9bc87d25d0221", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a51846215e425a8b62674b570971c1f91d4330dd7250590aca9bc87d25d0221"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/mobile-player/rotation-lock.tsx"}, "region": {"startLine": 161}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 111908, "scanner": "repobility-threat-engine", "fingerprint": "612f323f5285139e454ede5f0bf85ea448851ed63c17ae3716c1b31f560bb161", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(linkFtr.uri, \"_blank\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|45|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/chat/chat-message.tsx"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 111900, "scanner": "repobility-threat-engine", "fingerprint": "4c5069fbb494c87a625eabf986eca9d4f427466ad16c88182a8b7075c70116b1", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|pkg/model/model.go|216|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/model/model.go"}, "region": {"startLine": 216}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 111899, "scanner": "repobility-threat-engine", "fingerprint": "57343f633bec620b11323940773301c1f1dd63c39f067826863dd161f3d7f19d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|pkg/localdb/localdb.go|53|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/localdb/localdb.go"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 111898, "scanner": "repobility-threat-engine", "fingerprint": "e1915b6acdce0ed533772f87025a4868f5b94efe6db44fb9c89a6cadd9296f09", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|42|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/settings/about-category-settings.tsx"}, "region": {"startLine": 42}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 111857, "scanner": "repobility-agent-runtime", "fingerprint": "0f09dca2b8a073473214d5986cab5eb3238d103a2d80410e83a95b58bb1c3c13", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|0f09dca2b8a073473214d5986cab5eb3238d103a2d80410e83a95b58bb1c3c13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/mobile-app-banner.tsx"}, "region": {"startLine": 43}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@config-plugins/react-native-webrtc` is 5 major version(s) behind (10.0.0 -> 15.0.1)"}, "properties": {"repobilityId": 111850, "scanner": "repobility-dependency-currency", "fingerprint": "32310b7e9f134fbf2e46ae75bcec80d3ba89b6a1bcd53068b7bd5f57db2d1eed", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "5 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@config-plugins/react-native-webrtc", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "15.0.1", "correlation_key": "fp|32310b7e9f134fbf2e46ae75bcec80d3ba89b6a1bcd53068b7bd5f57db2d1eed", "current_version": "10.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/config-react-native-webrtc/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `uint8arrays` is 1 major version(s) behind (^5.1.0 -> 6.1.1)"}, "properties": {"repobilityId": 111849, "scanner": "repobility-dependency-currency", "fingerprint": "f5a255b0ff9dbf1eb6c4b7d11a0ce1733b64267246db42d6bb50cff0fd8a365a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "uint8arrays", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.1.1", "correlation_key": "fp|f5a255b0ff9dbf1eb6c4b7d11a0ce1733b64267246db42d6bb50cff0fd8a365a", "current_version": "^5.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/dev-env/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `better-sqlite3` is 2 major version(s) behind (10.1.0 -> 12.10.0)"}, "properties": {"repobilityId": 111847, "scanner": "repobility-dependency-currency", "fingerprint": "bf70d9d75cca79ee36e2db331e158912d8dce4b131b36a4f62e36c4e8df8b260", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "better-sqlite3", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "12.10.0", "correlation_key": "fp|bf70d9d75cca79ee36e2db331e158912d8dce4b131b36a4f62e36c4e8df8b260", "current_version": "10.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/dev-env/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `multiformats` is 5 major version(s) behind (^9.9.0 -> 14.0.0)"}, "properties": {"repobilityId": 111842, "scanner": "repobility-dependency-currency", "fingerprint": "7726112d850a51db3316fb318e0ec96050441563fe089a277bec7eea6f7a89cc", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "5 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "multiformats", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "14.0.0", "correlation_key": "fp|7726112d850a51db3316fb318e0ec96050441563fe089a277bec7eea6f7a89cc", "current_version": "^9.9.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/streamplace/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `lint-staged` is 2 major version(s) behind (^15.2.10 -> 17.0.7)"}, "properties": {"repobilityId": 111837, "scanner": "repobility-dependency-currency", "fingerprint": "83639b86d880d1a39d3db0d4423bd463ffd4ef445bf0e4783849010d1a689216", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "lint-staged", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.0.7", "correlation_key": "fp|83639b86d880d1a39d3db0d4423bd463ffd4ef445bf0e4783849010d1a689216", "current_version": "^15.2.10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `lerna` is 1 major version(s) behind (^8.2.2 -> 9.0.7)"}, "properties": {"repobilityId": 111836, "scanner": "repobility-dependency-currency", "fingerprint": "2be5a816c09415d9745d27764e331723c76ce0ae3550e5af1dcd3cc2a9912f0e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "lerna", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.7", "correlation_key": "fp|2be5a816c09415d9745d27764e331723c76ce0ae3550e5af1dcd3cc2a9912f0e", "current_version": "^8.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `firebase-admin` is 1 major version(s) behind (^12.7.0 -> 13.10.0)"}, "properties": {"repobilityId": 111832, "scanner": "repobility-dependency-currency", "fingerprint": "df2e13ead711bb66f1d50870343df56da15163ba6f20b2dda9eb7ba3dc3d4738", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "firebase-admin", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "13.10.0", "correlation_key": "fp|df2e13ead711bb66f1d50870343df56da15163ba6f20b2dda9eb7ba3dc3d4738", "current_version": "^12.7.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8fgc-7cc6-rx7x", "level": "note", "message": {"text": "webpack: GHSA-8fgc-7cc6-rx7x"}, "properties": {"repobilityId": 112239, "scanner": "osv-scanner", "fingerprint": "1993c610a1e199945bd3223101121d865411366cc66303a7a26ce1368fa7ffb3", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68458"], "package": "webpack", "rule_id": "GHSA-8fgc-7cc6-rx7x", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68458|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38r7-794h-5758", "level": "note", "message": {"text": "webpack: GHSA-38r7-794h-5758"}, "properties": {"repobilityId": 112238, "scanner": "osv-scanner", "fingerprint": "f17ee9fc81b3ebbf6275da2f4ff0c137ea8a2828a01f73eb453ed488df735491", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68157"], "package": "webpack", "rule_id": "GHSA-38r7-794h-5758", "scanner": "osv-scanner", "correlation_key": "vuln|webpack|CVE-2025-68157|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-52f5-9888-hmc6", "level": "note", "message": {"text": "tmp: GHSA-52f5-9888-hmc6"}, "properties": {"repobilityId": 112227, "scanner": "osv-scanner", "fingerprint": "ceb0fe0330a6e8c65b0a6d6b0c1b4e5717c16a2c1143f50b7130f9599cd67450", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-54798"], "package": "tmp", "rule_id": "GHSA-52f5-9888-hmc6", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2025-54798|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w7fw-mjwx-w883", "level": "note", "message": {"text": "qs: GHSA-w7fw-mjwx-w883"}, "properties": {"repobilityId": 112214, "scanner": "osv-scanner", "fingerprint": "a8ebfae1708877f4dd9d37cacb9e0f82aeb99b56d968b81a86d1302c6d3af0c2", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2391"], "package": "qs", "rule_id": "GHSA-w7fw-mjwx-w883", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-2391|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-76c9-3jph-rj3q", "level": "note", "message": {"text": "on-headers: GHSA-76c9-3jph-rj3q"}, "properties": {"repobilityId": 112197, "scanner": "osv-scanner", "fingerprint": "97283a2a7d20560a818693b916d6753fd7fbd4236d8d8c1aaa6f41727217c1ce", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-7339"], "package": "on-headers", "rule_id": "GHSA-76c9-3jph-rj3q", "scanner": "osv-scanner", "correlation_key": "vuln|on-headers|CVE-2025-7339|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c7w3-x93f-qmm8", "level": "note", "message": {"text": "nodemailer: GHSA-c7w3-x93f-qmm8"}, "properties": {"repobilityId": 112193, "scanner": "osv-scanner", "fingerprint": "31c64031c8b85c21e947591bc8ff7c78856235818dd61e0e5e1c5da52748b170", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "nodemailer", "rule_id": "GHSA-c7w3-x93f-qmm8", "scanner": "osv-scanner", "correlation_key": "vuln|nodemailer|GHSA-C7W3-X93F-QMM8|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-442j-39wm-28r2", "level": "note", "message": {"text": "handlebars: GHSA-442j-39wm-28r2"}, "properties": {"repobilityId": 112164, "scanner": "osv-scanner", "fingerprint": "e21584bfcab1f4840fba0e3149d8014642fb9c5af8cc5ecf77af95826059b67b", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "handlebars", "rule_id": "GHSA-442j-39wm-28r2", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|GHSA-442J-39WM-28R2|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fj3w-jwp8-x2g3", "level": "note", "message": {"text": "fast-xml-parser: GHSA-fj3w-jwp8-x2g3"}, "properties": {"repobilityId": 112150, "scanner": "osv-scanner", "fingerprint": "ff48174273c736800346c107c36df4be991b176ccdbe3297a81bbad806d6894a", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27942"], "package": "fast-xml-parser", "rule_id": "GHSA-fj3w-jwp8-x2g3", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-27942|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-848j-6mx2-7j84", "level": "note", "message": {"text": "elliptic: GHSA-848j-6mx2-7j84"}, "properties": {"repobilityId": 112145, "scanner": "osv-scanner", "fingerprint": "d70020eb29381e3175867d7879346d09b0cd1dee65337ec9b8b2ec3b3d115f65", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-14505"], "package": "elliptic", "rule_id": "GHSA-848j-6mx2-7j84", "scanner": "osv-scanner", "correlation_key": "vuln|elliptic|CVE-2025-14505|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jfqx-fxh3-c62j", "level": "note", "message": {"text": "electron: GHSA-jfqx-fxh3-c62j"}, "properties": {"repobilityId": 112138, "scanner": "osv-scanner", "fingerprint": "3a694e11efe78627cf88234dbd37c82e29be74c6741647e4ac492a57a543d424", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34768"], "package": "electron", "rule_id": "GHSA-jfqx-fxh3-c62j", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34768|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f37v-82c4-4x64", "level": "note", "message": {"text": "electron: GHSA-f37v-82c4-4x64"}, "properties": {"repobilityId": 112136, "scanner": "osv-scanner", "fingerprint": "ef9a2db86ea000bf5bf47bc0645cc0935a78ec3335861534ac42294d80abd490", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34781"], "package": "electron", "rule_id": "GHSA-f37v-82c4-4x64", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34781|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9899-m83m-qhpj", "level": "note", "message": {"text": "electron: GHSA-9899-m83m-qhpj"}, "properties": {"repobilityId": 112133, "scanner": "osv-scanner", "fingerprint": "299c7a3ed14d811d0a90bc557ce341d330142adc78b517ee494dcc8fe361478f", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34766"], "package": "electron", "rule_id": "GHSA-9899-m83m-qhpj", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34766|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8x5q-pvf5-64mp", "level": "note", "message": {"text": "electron: GHSA-8x5q-pvf5-64mp"}, "properties": {"repobilityId": 112132, "scanner": "osv-scanner", "fingerprint": "45db3dcd3875e3d69b93dd9a2f57f28228ae5b49c954f1198ef00c25cce9ca36", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34764"], "package": "electron", "rule_id": "GHSA-8x5q-pvf5-64mp", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34764|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 112126, "scanner": "osv-scanner", "fingerprint": "8c668fba000790b63076d59a9979b7c2de72c5f84d365e64fc242ae039652734", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pxg6-pf52-xh8x", "level": "note", "message": {"text": "cookie: GHSA-pxg6-pf52-xh8x"}, "properties": {"repobilityId": 112122, "scanner": "osv-scanner", "fingerprint": "353decb9f04d1c421e622b52000e1e4d5e7fb4b271c2145ccbdb51a43491ec5e", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-47764"], "package": "cookie", "rule_id": "GHSA-pxg6-pf52-xh8x", "scanner": "osv-scanner", "correlation_key": "vuln|cookie|CVE-2024-47764|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v6h2-p8h4-qcjw", "level": "note", "message": {"text": "brace-expansion: GHSA-v6h2-p8h4-qcjw"}, "properties": {"repobilityId": 112120, "scanner": "osv-scanner", "fingerprint": "3e70f19011b58b157f75487899fec2e42cb88c0a653227b585f67c95414d291b", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-5889"], "package": "brace-expansion", "rule_id": "GHSA-v6h2-p8h4-qcjw", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2025-5889|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xhjh-pmcv-23jw", "level": "note", "message": {"text": "axios: GHSA-xhjh-pmcv-23jw"}, "properties": {"repobilityId": 112117, "scanner": "osv-scanner", "fingerprint": "6be00ad157bbc9b2b225b717d3ed5af2e9526a52710e94c6b7b717df98e680ae", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42040"], "package": "axios", "rule_id": "GHSA-xhjh-pmcv-23jw", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42040|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xr5h-phrj-8vxv", "level": "note", "message": {"text": "astro: GHSA-xr5h-phrj-8vxv"}, "properties": {"repobilityId": 112097, "scanner": "osv-scanner", "fingerprint": "e146832b98438aaf83834544cebc53b49585698541a1286a0a2ce8f438dc60ad", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45028"], "package": "astro", "rule_id": "GHSA-xr5h-phrj-8vxv", "scanner": "osv-scanner", "correlation_key": "vuln|astro|CVE-2026-45028|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vpq2-c234-7xj6", "level": "note", "message": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "properties": {"repobilityId": 112090, "scanner": "osv-scanner", "fingerprint": "573ec4a58862875e8ce61f54e2504d06b2ca4d339b9ec7540be71ab58ff09e02", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-3449"], "package": "@tootallnate/once", "rule_id": "GHSA-vpq2-c234-7xj6", "scanner": "osv-scanner", "correlation_key": "vuln|tootallnate/once|CVE-2026-3449|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6475-r3vj-m8vf", "level": "note", "message": {"text": "@smithy/config-resolver: GHSA-6475-r3vj-m8vf"}, "properties": {"repobilityId": 112089, "scanner": "osv-scanner", "fingerprint": "341fe9c5242a8ced71173ca0a1905f486e9375020ea8c229679b86c9073c3741", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "@smithy/config-resolver", "rule_id": "GHSA-6475-r3vj-m8vf", "scanner": "osv-scanner", "correlation_key": "vuln|smithy/config-resolver|GHSA-6475-R3VJ-M8VF|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j88v-2chj-qfwx", "level": "note", "message": {"text": "github.com/jackc/pgx/v5: GHSA-j88v-2chj-qfwx"}, "properties": {"repobilityId": 112017, "scanner": "osv-scanner", "fingerprint": "ebf4cab495a434b7a5d51fc5ad3320b9742fcb74a82d55076352c73f9560a54b", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41889"], "package": "github.com/jackc/pgx/v5", "rule_id": "GHSA-j88v-2chj-qfwx", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/jackc/pgx/v5|CVE-2026-41889|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m7cr-m3pv-hgrp", "level": "note", "message": {"text": "github.com/go-git/go-git/v5: GHSA-m7cr-m3pv-hgrp"}, "properties": {"repobilityId": 112008, "scanner": "osv-scanner", "fingerprint": "f705e20c8790360d11b2a6532b7cfeadf2200a24e37ace720c117d49698311f6", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45570"], "package": "github.com/go-git/go-git/v5", "rule_id": "GHSA-m7cr-m3pv-hgrp", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/go-git/go-git/v5|CVE-2026-45570|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4vq8-7jfc-9cvp", "level": "note", "message": {"text": "github.com/docker/docker: GHSA-4vq8-7jfc-9cvp"}, "properties": {"repobilityId": 111987, "scanner": "osv-scanner", "fingerprint": "c2efe37da131620832f9fa021cfb7796ddfa747e5830f9c96f1fd2db23b9ad7c", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-54410", "GO-2025-3829"], "package": "github.com/docker/docker", "rule_id": "GHSA-4vq8-7jfc-9cvp", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/docker/docker|CVE-2025-54410|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9c48-w39g-hm26", "level": "note", "message": {"text": "rsa: GHSA-9c48-w39g-hm26"}, "properties": {"repobilityId": 111968, "scanner": "osv-scanner", "fingerprint": "32721c15a31d95160522b469e70c2b90d0875223098f81acdd7e8f03d5bce2dc", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-21895"], "package": "rsa", "rule_id": "GHSA-9c48-w39g-hm26", "scanner": "osv-scanner", "correlation_key": "vuln|rsa|CVE-2026-21895|cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 111920, "scanner": "repobility-threat-engine", "fingerprint": "c5ea5152ae2a0289cf41964508490de8a78a6f3488c0107da6af0b6a372a8bcd", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = f.Close(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c5ea5152ae2a0289cf41964508490de8a78a6f3488c0107da6af0b6a372a8bcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/blob/file.go"}, "region": {"startLine": 66}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 111919, "scanner": "repobility-threat-engine", "fingerprint": "dd24e8d1f4750e811dd48ea40ec13f00140fe10eb35eb877e29d4dbd08e6a9ad", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = rws.Seek(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dd24e8d1f4750e811dd48ea40ec13f00140fe10eb35eb877e29d4dbd08e6a9ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/aqio/aqio.go"}, "region": {"startLine": 83}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 111918, "scanner": "repobility-threat-engine", "fingerprint": "73900a5458b6f97f32880cd433b4dea7f312b2aa1b0f48044e5262e00ff4121d", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = r.ParseForm(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|73900a5458b6f97f32880cd433b4dea7f312b2aa1b0f48044e5262e00ff4121d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/desktop-updates.go"}, "region": {"startLine": 37}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@atproto/jwk-webcrypto` is minor version(s) behind (^0.2.0 -> 0.3.0)"}, "properties": {"repobilityId": 111856, "scanner": "repobility-dependency-currency", "fingerprint": "bf6e0676818f5d30bf626dc9582cfaf04cd1ce25b7734850fc03a82e64a33382", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@atproto/jwk-webcrypto", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.3.0", "correlation_key": "fp|bf6e0676818f5d30bf626dc9582cfaf04cd1ce25b7734850fc03a82e64a33382", "current_version": "^0.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@atproto/jwk-jose` is minor version(s) behind (^0.1.11 -> 0.2.0)"}, "properties": {"repobilityId": 111855, "scanner": "repobility-dependency-currency", "fingerprint": "399093e78c62ad399832271823062c49c6a772b5118695a8ed6ecc9fdd26ff2c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@atproto/jwk-jose", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.2.0", "correlation_key": "fp|399093e78c62ad399832271823062c49c6a772b5118695a8ed6ecc9fdd26ff2c", "current_version": "^0.1.11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@atproto/crypto` is minor version(s) behind (^0.4.5 -> 0.5.0)"}, "properties": {"repobilityId": 111854, "scanner": "repobility-dependency-currency", "fingerprint": "0e2cf5cc6f3c4cddf80a0778b03e4a099d22b82c97ffd5699eec800df27ebcdd", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@atproto/crypto", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.0", "correlation_key": "fp|0e2cf5cc6f3c4cddf80a0778b03e4a099d22b82c97ffd5699eec800df27ebcdd", "current_version": "^0.4.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@atproto/api` is minor version(s) behind (^0.19.3 -> 0.20.9)"}, "properties": {"repobilityId": 111853, "scanner": "repobility-dependency-currency", "fingerprint": "601370488c82a3d6c6a1d2c1f34c404163eef04871e5c2246546c04bd9461cfa", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@atproto/api", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.20.9", "correlation_key": "fp|601370488c82a3d6c6a1d2c1f34c404163eef04871e5c2246546c04bd9461cfa", "current_version": "^0.19.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@atproto-labs/pipe` is minor version(s) behind (^0.1.1 -> 0.2.0)"}, "properties": {"repobilityId": 111852, "scanner": "repobility-dependency-currency", "fingerprint": "e5244f4cb859a14c42c4114c7270f346f7fca17adaefe395c6dc504f439093c3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@atproto-labs/pipe", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.2.0", "correlation_key": "fp|e5244f4cb859a14c42c4114c7270f346f7fca17adaefe395c6dc504f439093c3", "current_version": "^0.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@cloudflare/workers-types` is minor version(s) behind (^4.20241205.0 -> 4.20260605.1)"}, "properties": {"repobilityId": 111851, "scanner": "repobility-dependency-currency", "fingerprint": "70570b8be37d877967d502a824c48db93b9397b492cb6130d9aabaf26223b03d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@cloudflare/workers-types", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.20260605.1", "correlation_key": "fp|70570b8be37d877967d502a824c48db93b9397b492cb6130d9aabaf26223b03d", "current_version": "^4.20241205.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/playback-router/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `get-port` is minor version(s) behind (^7.1.0 -> 7.2.0)"}, "properties": {"repobilityId": 111848, "scanner": "repobility-dependency-currency", "fingerprint": "c26e60a02d84214153f230418bfb1fc1e41522845e20e66e298e7e410bee4b37", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "get-port", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.2.0", "correlation_key": "fp|c26e60a02d84214153f230418bfb1fc1e41522845e20e66e298e7e410bee4b37", "current_version": "^7.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/dev-env/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `axios` is minor version(s) behind (^1.7.9 -> 1.17.0)"}, "properties": {"repobilityId": 111846, "scanner": "repobility-dependency-currency", "fingerprint": "e6cdbea4f43be5ce7d2f21ba510669a598c491622e21a010c3be7b746a2fc46d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "axios", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.17.0", "correlation_key": "fp|e6cdbea4f43be5ce7d2f21ba510669a598c491622e21a010c3be7b746a2fc46d", "current_version": "^1.7.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/dev-env/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@atproto/pds` is minor version(s) behind (^0.4.214 -> 0.5.2)"}, "properties": {"repobilityId": 111845, "scanner": "repobility-dependency-currency", "fingerprint": "9adfd1ca64bf4ef69877cdb3128c12ce841b7e54759434e8d73c32d862be18b3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@atproto/pds", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.2", "correlation_key": "fp|9adfd1ca64bf4ef69877cdb3128c12ce841b7e54759434e8d73c32d862be18b3", "current_version": "^0.4.214"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/dev-env/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@atproto/identity` is minor version(s) behind (^0.4.12 -> 0.5.0)"}, "properties": {"repobilityId": 111844, "scanner": "repobility-dependency-currency", "fingerprint": "b53d78c8afff7b653ae45ff08b9aeb6b08f776d6ffd6c170c80ee88ef6617a01", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@atproto/identity", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.0", "correlation_key": "fp|b53d78c8afff7b653ae45ff08b9aeb6b08f776d6ffd6c170c80ee88ef6617a01", "current_version": "^0.4.12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/dev-env/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@atproto/crypto` is minor version(s) behind (^0.4.5 -> 0.5.0)"}, "properties": {"repobilityId": 111843, "scanner": "repobility-dependency-currency", "fingerprint": "665d5c6bcaadd6597028ea1966e3f7529eec409f04e6a44f6d68b731d897ba0d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@atproto/crypto", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.0", "correlation_key": "fp|665d5c6bcaadd6597028ea1966e3f7529eec409f04e6a44f6d68b731d897ba0d", "current_version": "^0.4.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/dev-env/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@atproto/xrpc` is minor version(s) behind (^0.7.7 -> 0.8.0)"}, "properties": {"repobilityId": 111841, "scanner": "repobility-dependency-currency", "fingerprint": "b72f2fab0cd1040d2dd76c66db956fb10ddfd7e9d86072211191e7f020b7c2f3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@atproto/xrpc", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.8.0", "correlation_key": "fp|b72f2fab0cd1040d2dd76c66db956fb10ddfd7e9d86072211191e7f020b7c2f3", "current_version": "^0.7.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/streamplace/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@atproto/lexicon` is minor version(s) behind (^0.6.2 -> 0.7.1)"}, "properties": {"repobilityId": 111840, "scanner": "repobility-dependency-currency", "fingerprint": "03114d6252967ffdf68ef30cc3f3b731ded83ed3cded7ffa51f312af945e85eb", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@atproto/lexicon", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.7.1", "correlation_key": "fp|03114d6252967ffdf68ef30cc3f3b731ded83ed3cded7ffa51f312af945e85eb", "current_version": "^0.6.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/streamplace/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@atproto/api` is minor version(s) behind (^0.19.3 -> 0.20.9)"}, "properties": {"repobilityId": 111839, "scanner": "repobility-dependency-currency", "fingerprint": "ab055c7502166ff31462fe8bd307667b54d20c32ffb7e778c3d2dc61b24840ca", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@atproto/api", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.20.9", "correlation_key": "fp|ab055c7502166ff31462fe8bd307667b54d20c32ffb7e778c3d2dc61b24840ca", "current_version": "^0.19.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/streamplace/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `prettier` is minor version(s) behind (3.4.2 -> 3.8.3)"}, "properties": {"repobilityId": 111838, "scanner": "repobility-dependency-currency", "fingerprint": "8730a6bc3377658147df2545dd8521fb03a0f82d8db21bdeddf7b4d0e64c3734", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prettier", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.8.3", "correlation_key": "fp|8730a6bc3377658147df2545dd8521fb03a0f82d8db21bdeddf7b4d0e64c3734", "current_version": "3.4.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@atproto/lex-cli` is minor version(s) behind (^0.9.9 -> 0.10.0)"}, "properties": {"repobilityId": 111834, "scanner": "repobility-dependency-currency", "fingerprint": "8ae034dd852c3b05e8984de6ecd30cd509bca18d6fbef4a273cdab8ad6d423d2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@atproto/lex-cli", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.10.0", "correlation_key": "fp|8ae034dd852c3b05e8984de6ecd30cd509bca18d6fbef4a273cdab8ad6d423d2", "current_version": "^0.9.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `prettier-plugin-organize-imports` is minor version(s) behind (^4.1.0 -> 4.3.0)"}, "properties": {"repobilityId": 111833, "scanner": "repobility-dependency-currency", "fingerprint": "7111bf2b5bfb6d9c6713ef7a5c040114b594ab92daf6f8cd62da966fc7eabab9", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prettier-plugin-organize-imports", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.3.0", "correlation_key": "fp|7111bf2b5bfb6d9c6713ef7a5c040114b594ab92daf6f8cd62da966fc7eabab9", "current_version": "^4.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111802, "scanner": "repobility-ai-code-hygiene", "fingerprint": "402149cab902ce464aa59e5907ca0de48912d230daa8c0b8915a4dd42560c53c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/cmd/whep.go", "duplicate_line": 135, "correlation_key": "fp|402149cab902ce464aa59e5907ca0de48912d230daa8c0b8915a4dd42560c53c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/cmd/whip.go"}, "region": {"startLine": 268}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111801, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aa2d97cc85763d722fe306d3129d2c89dcc8865070012aeea40a47dcc714b16d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/app/hooks/useOuterAndInnerDimensions.tsx", "duplicate_line": 1, "correlation_key": "fp|aa2d97cc85763d722fe306d3129d2c89dcc8865070012aeea40a47dcc714b16d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/hooks/useOuterAndInnerDimensions.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111800, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90a99dc629723fc251b4c04654562792bfa17b40f1a4bc214903f3605b051941", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/app/hooks/useKeyboard.tsx", "duplicate_line": 1, "correlation_key": "fp|90a99dc629723fc251b4c04654562792bfa17b40f1a4bc214903f3605b051941"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/hooks/useKeyboard.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111799, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e9b4cb09aa617cfa1280706e060cb11bb647ade036ab77a54f61b5889868115d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/components/src/components/ui/primitives/text.tsx", "duplicate_line": 50, "correlation_key": "fp|e9b4cb09aa617cfa1280706e060cb11bb647ade036ab77a54f61b5889868115d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/ui/text.tsx"}, "region": {"startLine": 251}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111798, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e90a00c90950916fd8be270465e8ec54a164dbfe41a71cc4680a6c7bd919f268", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/components/src/components/ui/dropdown.native.tsx", "duplicate_line": 34, "correlation_key": "fp|e90a00c90950916fd8be270465e8ec54a164dbfe41a71cc4680a6c7bd919f268"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/ui/dropdown.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111797, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c23d5b403b4ad493bc0f494099b9389eae58173f5fb93c917bcf85e755767f84", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/app/components/mobile/desktop-ui/kebab.tsx", "duplicate_line": 117, "correlation_key": "fp|c23d5b403b4ad493bc0f494099b9389eae58173f5fb93c917bcf85e755767f84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/mobile-player/ui/viewer-context-menu.tsx"}, "region": {"startLine": 311}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111796, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a106e4a0d831065370b3194802a4c956b7f38abaa4ffb24f6c9ff8ce0b0a889d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/components/src/components/mobile-player/ui/streamer-context-menu.tsx", "duplicate_line": 57, "correlation_key": "fp|a106e4a0d831065370b3194802a4c956b7f38abaa4ffb24f6c9ff8ce0b0a889d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/mobile-player/ui/viewer-context-menu.tsx"}, "region": {"startLine": 101}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111795, "scanner": "repobility-ai-code-hygiene", "fingerprint": "056f2b8aa73d5821a7dc564f9bb2131ac1463973464d9bcdbbc4462a572580a3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/app/components/mobile/desktop-ui/mute-overlay.tsx", "duplicate_line": 41, "correlation_key": "fp|056f2b8aa73d5821a7dc564f9bb2131ac1463973464d9bcdbbc4462a572580a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/mobile-player/ui/autoplay-button.tsx"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111794, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fd0c0fd6fe8e9ad2c98362714906dcb9fe4de37a7963371a09b8ee9bd7d2b9bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/components/src/components/mobile-player/fullscreen.native.tsx", "duplicate_line": 148, "correlation_key": "fp|fd0c0fd6fe8e9ad2c98362714906dcb9fe4de37a7963371a09b8ee9bd7d2b9bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/mobile-player/fullscreen.tsx"}, "region": {"startLine": 96}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111793, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d29028df13a80844829af5502b1746439c758a11e92497e51bd56acba910d612", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/app/components/mobile/desktop-ui/mu.tsx", "duplicate_line": 1, "correlation_key": "fp|d29028df13a80844829af5502b1746439c758a11e92497e51bd56acba910d612"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/danmu/mu.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111792, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4cf346df8c817f8e67e7dc91efb6a673531c5ebf5a6fabf92b5cd5b913a17767", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/app/components/live-dashboard/livestream-panel.tsx", "duplicate_line": 122, "correlation_key": "fp|4cf346df8c817f8e67e7dc91efb6a673531c5ebf5a6fabf92b5cd5b913a17767"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/content-metadata/content-metadata-form.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111791, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fd844aeaf6b55a8008da265f9e76ef951c636424d2f1da1334ade28f1c4ea7a0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/components/src/components/chat/emoji-suggestions.tsx", "duplicate_line": 37, "correlation_key": "fp|fd844aeaf6b55a8008da265f9e76ef951c636424d2f1da1334ade28f1c4ea7a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/chat/mention-suggestions.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111790, "scanner": "repobility-ai-code-hygiene", "fingerprint": "572370c089f186e90f044a3d62f67febb6c09dea341defb14e3996afe4656333", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/app/src/screens/popout-info-widget.tsx", "duplicate_line": 14, "correlation_key": "fp|572370c089f186e90f044a3d62f67febb6c09dea341defb14e3996afe4656333"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/src/screens/popout-multistream.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111789, "scanner": "repobility-ai-code-hygiene", "fingerprint": "00694994179b3a1d0e564092023250b436886c123e0ba6bf7cab52b5feb22a0c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/app/src/screens/popout-info-widget.tsx", "duplicate_line": 14, "correlation_key": "fp|00694994179b3a1d0e564092023250b436886c123e0ba6bf7cab52b5feb22a0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/src/screens/popout-livestream.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111788, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e0904b104d53e10b430151d66c3fc294a6cc01b93d923e0ded3727c0ad6d9d8f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/app/components/settings/multistream-manager.tsx", "duplicate_line": 210, "correlation_key": "fp|e0904b104d53e10b430151d66c3fc294a6cc01b93d923e0ded3727c0ad6d9d8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/settings/webhook-manager.tsx"}, "region": {"startLine": 734}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111787, "scanner": "repobility-ai-code-hygiene", "fingerprint": "17e833144250801e19b6b34196e6cddbf66cf2a997be2057262c198725ffe962", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/app/components/mobile/badge-picker.tsx", "duplicate_line": 76, "correlation_key": "fp|17e833144250801e19b6b34196e6cddbf66cf2a997be2057262c198725ffe962"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/settings/badge-selection-manager.tsx"}, "region": {"startLine": 144}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111786, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bef493c08752bc508d76ede38ee1676a29b6a22f0358665b0689eccff4c088e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/app/components/login/login-modal.tsx", "duplicate_line": 34, "correlation_key": "fp|bef493c08752bc508d76ede38ee1676a29b6a22f0358665b0689eccff4c088e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/name-color-picker/name-color-picker.tsx"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111785, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f6fec974ba626dc5cf65cbe1de8cffb5ec0c752cdfd9c739def2c626efe7eacc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "js/app/components/create-livestream.tsx", "duplicate_line": 107, "correlation_key": "fp|f6fec974ba626dc5cf65cbe1de8cffb5ec0c752cdfd9c739def2c626efe7eacc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/edit-livestream.tsx"}, "region": {"startLine": 83}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 111784, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45704695335c48659a38f4dc483fd0c75d207b16db0e6ef7c38820f51ed5bde4", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "new", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|45704695335c48659a38f4dc483fd0c75d207b16db0e6ef7c38820f51ed5bde4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/mist/misttriggers/user_new.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 111783, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91ccc9f3fb5dc7abf5f7d3e73d0ffa815354369590f465dd69552d5b2c064d0a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "rewrite", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|91ccc9f3fb5dc7abf5f7d3e73d0ffa815354369590f465dd69552d5b2c064d0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/mist/misttriggers/push_rewrite.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 111941, "scanner": "repobility-threat-engine", "fingerprint": "34af4049a9b4b3988b6a9f2c179a9feab2248b52bec3e88da83d53bf70ec78a1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|34af4049a9b4b3988b6a9f2c179a9feab2248b52bec3e88da83d53bf70ec78a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/src/c2pa.rs"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 111939, "scanner": "repobility-threat-engine", "fingerprint": "0dd798c62b9a5ab3ca3624781f39e33f8049ea7b9a10bacb97242fff4c33347e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0dd798c62b9a5ab3ca3624781f39e33f8049ea7b9a10bacb97242fff4c33347e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/src/tests.rs"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 111938, "scanner": "repobility-threat-engine", "fingerprint": "e13215456eea93dd15a42d085f046fe24605bb92a0451cbb4a98c3f10e9d6ae0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e13215456eea93dd15a42d085f046fe24605bb92a0451cbb4a98c3f10e9d6ae0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/src/public_key.rs"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 111937, "scanner": "repobility-threat-engine", "fingerprint": "89d2823d21f1f0c808d7ed8c33fc2c4baea0f63193b8067699697fb97bb778f1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|89d2823d21f1f0c808d7ed8c33fc2c4baea0f63193b8067699697fb97bb778f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/export-c2pa-schema/src/main.rs"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 111929, "scanner": "repobility-threat-engine", "fingerprint": "53dc9a2e9da05832df5c54bdcfe8abf4525f443e760de88e896f827d34f86e93", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|53dc9a2e9da05832df5c54bdcfe8abf4525f443e760de88e896f827d34f86e93", "aggregated_count": 22}}}, {"ruleId": "SEC111", "level": "none", "message": {"text": "[SEC111] Django mark_safe / |safe filter on user data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 111925, "scanner": "repobility-threat-engine", "fingerprint": "7a133134847bea60c03ea647562ccee4f1befcfe29713359a75386f33639cbe5", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC111", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7a133134847bea60c03ea647562ccee4f1befcfe29713359a75386f33639cbe5"}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 111921, "scanner": "repobility-threat-engine", "fingerprint": "069111f23d36bc8bf0988361c1723e0322165ca439dc9c9d2268210211ebc2d4", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|069111f23d36bc8bf0988361c1723e0322165ca439dc9c9d2268210211ebc2d4"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 111914, "scanner": "repobility-threat-engine", "fingerprint": "133d0321df668823d68fda7a262cc53d13053f2174d79a753e1fabffb7f20eec", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|133d0321df668823d68fda7a262cc53d13053f2174d79a753e1fabffb7f20eec", "aggregated_count": 4}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 111913, "scanner": "repobility-threat-engine", "fingerprint": "8dbce6597a0d224fe85233f67155c7c33e342bd638bee92ce3aca1b47fbb1b68", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8dbce6597a0d224fe85233f67155c7c33e342bd638bee92ce3aca1b47fbb1b68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/cmd/live.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 111912, "scanner": "repobility-threat-engine", "fingerprint": "018112e805418eed466fb7d1b088c6fb55f324696130bc42b01e25edf2a05d6b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|018112e805418eed466fb7d1b088c6fb55f324696130bc42b01e25edf2a05d6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/desktop/src/node.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 111911, "scanner": "repobility-threat-engine", "fingerprint": "4ba224e83c1aa75add4790037693ffe77b3c97589b4a96904af367ece7615621", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4ba224e83c1aa75add4790037693ffe77b3c97589b4a96904af367ece7615621"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/mobile-player/shared.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 111907, "scanner": "repobility-threat-engine", "fingerprint": "7cd717af22f8b099af74b2641760628b39edbbed59a7543ce248f91b5a8671ca", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7cd717af22f8b099af74b2641760628b39edbbed59a7543ce248f91b5a8671ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/store/slices/platformSlice.native.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 111905, "scanner": "repobility-threat-engine", "fingerprint": "dd55d84819d47f5e5d812504b2215e104fa019a370aefca4b9b09787e63b811b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dd55d84819d47f5e5d812504b2215e104fa019a370aefca4b9b09787e63b811b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/src/screens/support.tsx"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 111904, "scanner": "repobility-threat-engine", "fingerprint": "e3cbe691b373ba48afd4e1b4cec3d828ca3a600fb595646e78ad77722ee37a2b", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.json' detected on same line", "evidence": {"match": "require(path", "reason": "Safe pattern '\\.json' detected on same line", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|e3cbe691b373ba48afd4e1b4cec3d828ca3a600fb595646e78ad77722ee37a2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/scripts/gen-emoji-data.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 111901, "scanner": "repobility-threat-engine", "fingerprint": "c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 111897, "scanner": "repobility-threat-engine", "fingerprint": "2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 111893, "scanner": "repobility-threat-engine", "fingerprint": "53d0d55f0ce05bf89db2db74d074a0af0d2e2f55e7abb4083cb8de8c90e785f6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|53d0d55f0ce05bf89db2db74d074a0af0d2e2f55e7abb4083cb8de8c90e785f6", "aggregated_count": 7}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 111892, "scanner": "repobility-threat-engine", "fingerprint": "c15e13f4a0552cd8aeb32a7e51df42eab44ea5ab6d67140f402a93cd817c1fcd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c15e13f4a0552cd8aeb32a7e51df42eab44ea5ab6d67140f402a93cd817c1fcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/settings/badge-selection-manager.tsx"}, "region": {"startLine": 302}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 111891, "scanner": "repobility-threat-engine", "fingerprint": "4712c9df39896dd6b56e4e0a984e25e15e1ecaf990939fb1bf5771599df127d9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4712c9df39896dd6b56e4e0a984e25e15e1ecaf990939fb1bf5771599df127d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/mobile-app-banner.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 111890, "scanner": "repobility-threat-engine", "fingerprint": "5e52460bf173d70870c9f287b5b9d6e3ea71e5ca1bab273d13e42f8882ab6949", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5e52460bf173d70870c9f287b5b9d6e3ea71e5ca1bab273d13e42f8882ab6949"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/live-dashboard/bento-grid.tsx"}, "region": {"startLine": 274}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 111889, "scanner": "repobility-threat-engine", "fingerprint": "377e9ed5b80ffb9d61ead7cdc96c8d32214c1075bbdc490f011ecc80671f46d1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|377e9ed5b80ffb9d61ead7cdc96c8d32214c1075bbdc490f011ecc80671f46d1", "aggregated_count": 10}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 111888, "scanner": "repobility-threat-engine", "fingerprint": "9d8f557b387e987f9bf6778ec45ccae2e3dcbcd8bc08653583ef9785a2830bad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d8f557b387e987f9bf6778ec45ccae2e3dcbcd8bc08653583ef9785a2830bad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/live-dashboard/stream-key.tsx"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 111887, "scanner": "repobility-threat-engine", "fingerprint": "4ca41e1c8333ee28251992a26b0bacc492129aa3638d9f21cfac7b41268a47cf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4ca41e1c8333ee28251992a26b0bacc492129aa3638d9f21cfac7b41268a47cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/live-dashboard/live-selector.tsx"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 111886, "scanner": "repobility-threat-engine", "fingerprint": "ba54fd3411f744bbd105b712a8591a0d0dc1a7a736fb09aa8974aeec29f5846f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba54fd3411f744bbd105b712a8591a0d0dc1a7a736fb09aa8974aeec29f5846f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/home/cards.tsx"}, "region": {"startLine": 305}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "properties": {"repobilityId": 111885, "scanner": "repobility-threat-engine", "fingerprint": "1604fc2a6059fbcd43640017b006592aa0b1ba1c8f27ee1e39cbd3d6671ebeeb", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 47 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 47 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1604fc2a6059fbcd43640017b006592aa0b1ba1c8f27ee1e39cbd3d6671ebeeb"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "properties": {"repobilityId": 111881, "scanner": "repobility-threat-engine", "fingerprint": "b46cab4075f10735f1d22f500745b75e7c2f7ba42bf2fc33e5622a8f06863edf", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 42 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b46cab4075f10735f1d22f500745b75e7c2f7ba42bf2fc33e5622a8f06863edf", "aggregated_count": 42}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 111880, "scanner": "repobility-threat-engine", "fingerprint": "be8a94f27505d38bbfceac5ce6624c97d9994a00e196814201aec572d1a45685", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|be8a94f27505d38bbfceac5ce6624c97d9994a00e196814201aec572d1a45685"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/home/avatar.tsx"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 111879, "scanner": "repobility-threat-engine", "fingerprint": "f635e3b7744957f4f4a5e6586e0e74db8665d7a8fb0c49711425a28b56a29116", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f635e3b7744957f4f4a5e6586e0e74db8665d7a8fb0c49711425a28b56a29116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/button-selector.tsx"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 111878, "scanner": "repobility-threat-engine", "fingerprint": "e9278f217be7d92d5389ac4296c0b8ba7a36a26a7df5c58bf8d5f00d7d18bd0e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e9278f217be7d92d5389ac4296c0b8ba7a36a26a7df5c58bf8d5f00d7d18bd0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/aqlink.tsx"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 43 more): Same pattern found in 43 additional files. Review if needed."}, "properties": {"repobilityId": 111877, "scanner": "repobility-threat-engine", "fingerprint": "1e7c48fd430cffa0cc2edbf342f14d2610444072282ba116a065b1d3923b8b6a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 43 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1e7c48fd430cffa0cc2edbf342f14d2610444072282ba116a065b1d3923b8b6a", "aggregated_count": 43}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 111876, "scanner": "repobility-threat-engine", "fingerprint": "781e02f8e01b5d6cc311678e68bb43ac337ba4d0289e3e3b262abfb7ee892a27", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|781e02f8e01b5d6cc311678e68bb43ac337ba4d0289e3e3b262abfb7ee892a27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/login/pds-host-selector-modal.tsx"}, "region": {"startLine": 276}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 111875, "scanner": "repobility-threat-engine", "fingerprint": "fc08eb6cb6e57c06c0d33817b6ad30e3428c3da71d9689029095deb15cd0677c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fc08eb6cb6e57c06c0d33817b6ad30e3428c3da71d9689029095deb15cd0677c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/aqlink.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 111874, "scanner": "repobility-threat-engine", "fingerprint": "bc785d27f05af3ca1293607372fc7e34755023ef544ddb2afe7172f20ffb143c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bc785d27f05af3ca1293607372fc7e34755023ef544ddb2afe7172f20ffb143c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/app.config.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 111873, "scanner": "repobility-threat-engine", "fingerprint": "58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "aggregated_count": 2}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 83 more): Same pattern found in 83 additional files. Review if needed."}, "properties": {"repobilityId": 111869, "scanner": "repobility-threat-engine", "fingerprint": "ec429554760de0401706568e44994ee7c0d4db6f3d96f5ed858cf2d61711bd0d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 83 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ec429554760de0401706568e44994ee7c0d4db6f3d96f5ed858cf2d61711bd0d", "aggregated_count": 83}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 111868, "scanner": "repobility-threat-engine", "fingerprint": "c8d5f9514a7d4eed5f1a109f0cabc60dba87fb96c7a7e81d12bb99ebd2abb563", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c8d5f9514a7d4eed5f1a109f0cabc60dba87fb96c7a7e81d12bb99ebd2abb563"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/parse-go-stack-trace.mjs"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 111867, "scanner": "repobility-threat-engine", "fingerprint": "60cff2211fa7126ad1765e7deb8d854ded54e651ddec144d4808f7466629e22e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|60cff2211fa7126ad1765e7deb8d854ded54e651ddec144d4808f7466629e22e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/node-version.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 111866, "scanner": "repobility-threat-engine", "fingerprint": "8441164a2cce3b88e8bd93cae83a4b84209722a6daa3a90626c9459a91f1c4b2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8441164a2cce3b88e8bd93cae83a4b84209722a6daa3a90626c9459a91f1c4b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/atproto-key.mjs"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 111865, "scanner": "repobility-threat-engine", "fingerprint": "538e24d6f9313ff3e57c76dadb857bc7dad2f5ed39cf1812775e1e1b2357a300", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|538e24d6f9313ff3e57c76dadb857bc7dad2f5ed39cf1812775e1e1b2357a300", "aggregated_count": 18}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 111864, "scanner": "repobility-threat-engine", "fingerprint": "b2a60462c8499905477cbf2aa83c9c81203e42de20b29181e89baa46327b2f19", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b2a60462c8499905477cbf2aa83c9c81203e42de20b29181e89baa46327b2f19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/aqtime/aqtime.go"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 111863, "scanner": "repobility-threat-engine", "fingerprint": "db762ebed4e9fde8d367a9c502703a27ddab0004d061d3030e3af28d93fed754", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|db762ebed4e9fde8d367a9c502703a27ddab0004d061d3030e3af28d93fed754"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/mimes.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 111862, "scanner": "repobility-threat-engine", "fingerprint": "306f5d26eedf49ff9792d77289cead373b2b11d82f550c7e751b2c43f8d3a1a1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|306f5d26eedf49ff9792d77289cead373b2b11d82f550c7e751b2c43f8d3a1a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/libstreamplace/streamplace.go"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 111861, "scanner": "repobility-threat-engine", "fingerprint": "651eeaeb3f30cb2788eb7d34578bb476787cc2d5f03c41e1c54c1af75fcf1e00", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|651eeaeb3f30cb2788eb7d34578bb476787cc2d5f03c41e1c54c1af75fcf1e00", "aggregated_count": 16}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 111860, "scanner": "repobility-threat-engine", "fingerprint": "32e8543823f2611b2977d5fb66584459f935c944a3420bf82f1a4d63a5de4b65", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|32e8543823f2611b2977d5fb66584459f935c944a3420bf82f1a4d63a5de4b65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/crypto/signers/eip712/eip712test/eip712test.go"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 111859, "scanner": "repobility-threat-engine", "fingerprint": "ae11ee47f57965c5d8c7e60ca5cace879b74ebdde9a5abfaf543b6e6e83af13a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ae11ee47f57965c5d8c7e60ca5cace879b74ebdde9a5abfaf543b6e6e83af13a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/cmd/timeoutgroup.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 111858, "scanner": "repobility-threat-engine", "fingerprint": "92f36e5d8b0f35799bc0ebbd44473fd04f4212482bb339a0180bb0bd951a343c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92f36e5d8b0f35799bc0ebbd44473fd04f4212482bb339a0180bb0bd951a343c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/libstreamplace/streamplace.go"}, "region": {"startLine": 39}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `husky` is patch version(s) behind (^9.1.6 -> 9.1.7)"}, "properties": {"repobilityId": 111835, "scanner": "repobility-dependency-currency", "fingerprint": "f7bcfbfda91ac8069e6b2f1f2640fa55f3d2d307a0782259c103de9851ee4d3e", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "husky", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.1.7", "correlation_key": "fp|f7bcfbfda91ac8069e6b2f1f2640fa55f3d2d307a0782259c103de9851ee4d3e", "current_version": "^9.1.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /clip/:did/clip.mp4."}, "properties": {"repobilityId": 112269, "scanner": "repobility-access-control", "fingerprint": "4b14cd7f6db4f73e34eb73158b79626d3f894ed8a86a286531fcc9327f6f8d29", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/clip/:did/clip.mp4", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/api/api_internal.go|542|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/api_internal.go"}, "region": {"startLine": 542}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /settings/:id."}, "properties": {"repobilityId": 112268, "scanner": "repobility-access-control", "fingerprint": "12990a63b6038715c7399b226681e12466aeff85e2db92a04b9b01729c1ddf7c", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings/:id", "method": "PUT", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/api/api_internal.go|487|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/api_internal.go"}, "region": {"startLine": 487}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /segment/:id."}, "properties": {"repobilityId": 112267, "scanner": "repobility-access-control", "fingerprint": "a5fbc24bd38a395f8cc4441231aa4fd271e1143cdac73030866ec4de88b2f963", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/segment/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/api/api_internal.go|300|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/api_internal.go"}, "region": {"startLine": 300}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /player-report/:id."}, "properties": {"repobilityId": 112266, "scanner": "repobility-access-control", "fingerprint": "36ebd7fed146c69491a572645044a7f40b9205cb47e30ad2e44169477bca403a", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/player-report/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/api/api_internal.go|279|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/api_internal.go"}, "region": {"startLine": 279}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /http-pipe/:uuid."}, "properties": {"repobilityId": 112265, "scanner": "repobility-access-control", "fingerprint": "3a741418735030e6544e40ba845075ca6d42719a23b4a73faf89781e5335168a", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/http-pipe/:uuid", "method": "POST", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/api/api_internal.go|194|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/api_internal.go"}, "region": {"startLine": 194}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /test/:id."}, "properties": {"repobilityId": 112264, "scanner": "repobility-access-control", "fingerprint": "e75bde825f8b7aaa8ef2ed9f9b5299ad72a663181436e81bd65cb5832e391caf", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/test/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|pkg/api/api.go|174|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/api.go"}, "region": {"startLine": 174}}}]}, {"ruleId": "RUSTSEC-2025-0055", "level": "error", "message": {"text": "tracing-subscriber: RUSTSEC-2025-0055"}, "properties": {"repobilityId": 112261, "scanner": "osv-scanner", "fingerprint": "9b4f1c4263ec4b3956b511b8c934487147027c06f72ed1eca890face1a39a5aa", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-58160", "GHSA-xwfj-jgwm-7wp5"], "package": "tracing-subscriber", "rule_id": "RUSTSEC-2025-0055", "scanner": "osv-scanner", "correlation_key": "vuln|tracing-subscriber|CVE-2025-58160|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-xwfj-jgwm-7wp5", "RUSTSEC-2025-0055"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3a9a11712292e6d6c859267ae9068650f7bf8d36341b6447ec3dbd87a48b9d96", "9b4f1c4263ec4b3956b511b8c934487147027c06f72ed1eca890face1a39a5aa"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0009", "level": "error", "message": {"text": "time: RUSTSEC-2026-0009"}, "properties": {"repobilityId": 112260, "scanner": "osv-scanner", "fingerprint": "58e5ca2c6f30363fcfdddf211ab709c04a15532f2ab02b139716d4d891b4217a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25727", "GHSA-r6v5-fh4h-64xc"], "package": "time", "rule_id": "RUSTSEC-2026-0009", "scanner": "osv-scanner", "correlation_key": "vuln|time|CVE-2026-25727|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r6v5-fh4h-64xc", "RUSTSEC-2026-0009"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["36a9c5235eb0fde2d8fcd29f508cfab0e63727724ec64324a8e702da17b719bd", "58e5ca2c6f30363fcfdddf211ab709c04a15532f2ab02b139716d4d891b4217a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0047", "level": "error", "message": {"text": "slab: RUSTSEC-2025-0047"}, "properties": {"repobilityId": 112259, "scanner": "osv-scanner", "fingerprint": "e97a7c8fa0c76d9684ccb1d22b6dedac504a7591bec9a719108906c88f43951d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-55159", "GHSA-qx2v-8332-m4fv"], "package": "slab", "rule_id": "RUSTSEC-2025-0047", "scanner": "osv-scanner", "correlation_key": "vuln|slab|CVE-2025-55159|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qx2v-8332-m4fv", "RUSTSEC-2025-0047"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["60aa7d9a2b705c6a2d6579710a80aca2dc12071276b1fc727ce6f191207845e2", "e97a7c8fa0c76d9684ccb1d22b6dedac504a7591bec9a719108906c88f43951d"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0104", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0104"}, "properties": {"repobilityId": 112258, "scanner": "osv-scanner", "fingerprint": "3416230faedd727fe439410a1a5cd69c55e89c6edafa9ff90f57a1d397c94839", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-82j2-j2ch-gfr8"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0104", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-82J2-J2CH-GFR8|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-82j2-j2ch-gfr8", "RUSTSEC-2026-0104"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3416230faedd727fe439410a1a5cd69c55e89c6edafa9ff90f57a1d397c94839", "3982d38d6247b1ad55359e87eb1154e52c75fce0190d69bd2b49a81386ca6027"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0099", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0099"}, "properties": {"repobilityId": 112257, "scanner": "osv-scanner", "fingerprint": "23fde100687638fa7b08a4097bde39c08a4df515895fc8d328c747df15ac4950", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-xgp8-3hg3-c2mh"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0099", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-XGP8-3HG3-C2MH|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-xgp8-3hg3-c2mh", "RUSTSEC-2026-0099"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["23fde100687638fa7b08a4097bde39c08a4df515895fc8d328c747df15ac4950", "5887e28e2e11da30e52e8be2c0411ec534250974d347c83b7fb1f896e1e56c4c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0098", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0098"}, "properties": {"repobilityId": 112256, "scanner": "osv-scanner", "fingerprint": "accf22f594f50c326d6c43a03cbf19f47257262e97f340694097cae9cfe18106", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-965h-392x-2mh5"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0098", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-965H-392X-2MH5|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-965h-392x-2mh5", "RUSTSEC-2026-0098"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["9a21c96f6733e1e7389e6568ed87897c2fb0ee4b3704d666cfd422d711c01fd8", "accf22f594f50c326d6c43a03cbf19f47257262e97f340694097cae9cfe18106"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0049", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0049"}, "properties": {"repobilityId": 112255, "scanner": "osv-scanner", "fingerprint": "d3b6f499b9f584fab52f41e95e5ef439cd3aadba467ee880d15e0d188c6c74ee", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-pwjx-qhcg-rvj4"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0049", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-PWJX-QHCG-RVJ4|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-pwjx-qhcg-rvj4", "RUSTSEC-2026-0049"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["661acaea603a66f1996598bc1b722394f2ed7cb41485d2acf34928edba81547e", "d3b6f499b9f584fab52f41e95e5ef439cd3aadba467ee880d15e0d188c6c74ee"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0097", "level": "error", "message": {"text": "rand: RUSTSEC-2026-0097"}, "properties": {"repobilityId": 112254, "scanner": "osv-scanner", "fingerprint": "356c7a33a1c1a429baaa159f81d3b4d574bc9095d8908374bb0d2289e12a22b3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-cq8v-f236-94qc"], "package": "rand", "rule_id": "RUSTSEC-2026-0097", "scanner": "osv-scanner", "correlation_key": "vuln|rand|GHSA-CQ8V-F236-94QC|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-cq8v-f236-94qc", "RUSTSEC-2026-0097"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["202de5d46bfe5972ca4d160dfe3523d79ff773fc351c5bd4d6598396957178a4", "356c7a33a1c1a429baaa159f81d3b4d574bc9095d8908374bb0d2289e12a22b3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0037", "level": "error", "message": {"text": "quinn-proto: RUSTSEC-2026-0037"}, "properties": {"repobilityId": 112253, "scanner": "osv-scanner", "fingerprint": "d3c5ff9e1a2f28ffc9f710b48447285492e459330af2c35d38691240bc7400c6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-31812", "GHSA-6xvm-j4wr-6v98"], "package": "quinn-proto", "rule_id": "RUSTSEC-2026-0037", "scanner": "osv-scanner", "correlation_key": "vuln|quinn-proto|CVE-2026-31812|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-6xvm-j4wr-6v98", "RUSTSEC-2026-0037"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1f26440b811de9c96bdc4198e6fcf5485b35368590a2c3260591f8fc51a6766e", "d3c5ff9e1a2f28ffc9f710b48447285492e459330af2c35d38691240bc7400c6"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0436", "level": "error", "message": {"text": "paste: RUSTSEC-2024-0436"}, "properties": {"repobilityId": 112252, "scanner": "osv-scanner", "fingerprint": "5f265dcb819200bd8ffe5ccc332a858034275cd94eaedfc3fc099ae5e5e05f86", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "paste", "rule_id": "RUSTSEC-2024-0436", "scanner": "osv-scanner", "correlation_key": "fp|5f265dcb819200bd8ffe5ccc332a858034275cd94eaedfc3fc099ae5e5e05f86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0002", "level": "error", "message": {"text": "lru: RUSTSEC-2026-0002"}, "properties": {"repobilityId": 112251, "scanner": "osv-scanner", "fingerprint": "92024f4f0ef18b5b895aad865d046586a04a6af085adbfc88d4ef2623a9e54fc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-rhfx-m35p-ff5j"], "package": "lru", "rule_id": "RUSTSEC-2026-0002", "scanner": "osv-scanner", "correlation_key": "vuln|lru|GHSA-RHFX-M35P-FF5J|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-rhfx-m35p-ff5j", "RUSTSEC-2026-0002"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3467d3869b842b95b7f1cfcd9b844dfecdb98319d0230e1ce0ed73d13dd0bf5b", "92024f4f0ef18b5b895aad865d046586a04a6af085adbfc88d4ef2623a9e54fc"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0384", "level": "error", "message": {"text": "instant: RUSTSEC-2024-0384"}, "properties": {"repobilityId": 112250, "scanner": "osv-scanner", "fingerprint": "b7424535f8200b34b477ee2bec31ce6b86eee594c9369a1a2a65d0c1907ba6ec", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "instant", "rule_id": "RUSTSEC-2024-0384", "scanner": "osv-scanner", "correlation_key": "fp|b7424535f8200b34b477ee2bec31ce6b86eee594c9369a1a2a65d0c1907ba6ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0119", "level": "error", "message": {"text": "hickory-proto: RUSTSEC-2026-0119"}, "properties": {"repobilityId": 112249, "scanner": "osv-scanner", "fingerprint": "c7e0a7e9b4007e70b4da943d994f6975d35bb99f320e56965a8dc1779bf8ddde", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-q2qq-hmj6-3wpp"], "package": "hickory-proto", "rule_id": "RUSTSEC-2026-0119", "scanner": "osv-scanner", "correlation_key": "vuln|hickory-proto|GHSA-Q2QQ-HMJ6-3WPP|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-q2qq-hmj6-3wpp", "RUSTSEC-2026-0119"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["069c05c1a872e4eac7a52518c0698bcc6637bf4466655fc6e0e944185daf718a", "c7e0a7e9b4007e70b4da943d994f6975d35bb99f320e56965a8dc1779bf8ddde"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0118", "level": "error", "message": {"text": "hickory-proto: RUSTSEC-2026-0118"}, "properties": {"repobilityId": 112248, "scanner": "osv-scanner", "fingerprint": "51eabebd40511167b5ea26817a93a0a866e527e2be516c083f6b369dc93a8e82", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-3v94-mw7p-v465", "RUSTSEC-2026-0120"], "package": "hickory-proto", "rule_id": "RUSTSEC-2026-0118", "scanner": "osv-scanner", "correlation_key": "vuln|hickory-proto|GHSA-3V94-MW7P-V465|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-3v94-mw7p-v465", "RUSTSEC-2026-0118"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["51eabebd40511167b5ea26817a93a0a866e527e2be516c083f6b369dc93a8e82", "f450d520ab23a1ec3331ef24d36a96e6cae38de3deb0c89e3a7932c34fabfc69"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0007", "level": "error", "message": {"text": "bytes: RUSTSEC-2026-0007"}, "properties": {"repobilityId": 112247, "scanner": "osv-scanner", "fingerprint": "04d6d57a438c36b16da1106a04d65dfc0a612e01de9ee7c7c8d174f1cd13ab2f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25541", "GHSA-434x-w66g-qw3r"], "package": "bytes", "rule_id": "RUSTSEC-2026-0007", "scanner": "osv-scanner", "correlation_key": "vuln|bytes|CVE-2026-25541|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-434x-w66g-qw3r", "RUSTSEC-2026-0007"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["04d6d57a438c36b16da1106a04d65dfc0a612e01de9ee7c7c8d174f1cd13ab2f", "7bbdaf756d67fedebf1a873d2c5691080d642750fdc59bc6049f050f15394ba0"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0141", "level": "error", "message": {"text": "bincode: RUSTSEC-2025-0141"}, "properties": {"repobilityId": 112246, "scanner": "osv-scanner", "fingerprint": "47550201fa96c4976b4280e53a06ea56888c6af3011cdf5a991d0d453974c7f4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "bincode", "rule_id": "RUSTSEC-2025-0141", "scanner": "osv-scanner", "correlation_key": "fp|47550201fa96c4976b4280e53a06ea56888c6af3011cdf5a991d0d453974c7f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2023-0089", "level": "error", "message": {"text": "atomic-polyfill: RUSTSEC-2023-0089"}, "properties": {"repobilityId": 112245, "scanner": "osv-scanner", "fingerprint": "954f82d5ab1ff485517c64d3fb7fff05712ff630320cf340d525d8b9b0a493be", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "atomic-polyfill", "rule_id": "RUSTSEC-2023-0089", "scanner": "osv-scanner", "correlation_key": "fp|954f82d5ab1ff485517c64d3fb7fff05712ff630320cf340d525d8b9b0a493be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p9ff-h696-f583", "level": "error", "message": {"text": "vite: GHSA-p9ff-h696-f583"}, "properties": {"repobilityId": 112237, "scanner": "osv-scanner", "fingerprint": "e4e3f54a4dc9146916e0304c9d50318b9ef24b5c1473da2baafc759d95054cac", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39363"], "package": "vite", "rule_id": "GHSA-p9ff-h696-f583", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39363|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vrm6-8vpv-qv8q", "level": "error", "message": {"text": "undici: GHSA-vrm6-8vpv-qv8q"}, "properties": {"repobilityId": 112233, "scanner": "osv-scanner", "fingerprint": "c37ac9a11b75eab8367403efcb9dec6a75ce8df6e9fdc49ad7043ccc2438ed6d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1526"], "package": "undici", "rule_id": "GHSA-vrm6-8vpv-qv8q", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1526|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v9p9-hfj2-hcw8", "level": "error", "message": {"text": "undici: GHSA-v9p9-hfj2-hcw8"}, "properties": {"repobilityId": 112232, "scanner": "osv-scanner", "fingerprint": "5fc7025df7e18a64b471bcd54c54cc98548e3ccc90563b6c7730d159bcc47e26", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2229"], "package": "undici", "rule_id": "GHSA-v9p9-hfj2-hcw8", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-2229|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f269-vfmq-vjvj", "level": "error", "message": {"text": "undici: GHSA-f269-vfmq-vjvj"}, "properties": {"repobilityId": 112231, "scanner": "osv-scanner", "fingerprint": "943a2365e88418ce5122e30724dd08e18033bf6ef4e016cb3bc7e05e998b46bf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1528"], "package": "undici", "rule_id": "GHSA-f269-vfmq-vjvj", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1528|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ph9p-34f9-6g65", "level": "error", "message": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "properties": {"repobilityId": 112228, "scanner": "osv-scanner", "fingerprint": "85237a582679ce02ed5374b4c960bb9330e68d29c31080114a7ec45740887db3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44705"], "package": "tmp", "rule_id": "GHSA-ph9p-34f9-6g65", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2026-44705|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vj76-c3g6-qr5v", "level": "error", "message": {"text": "tar-fs: GHSA-vj76-c3g6-qr5v"}, "properties": {"repobilityId": 112226, "scanner": "osv-scanner", "fingerprint": "a908968c3376c9dbf88e9849fc6469b496b10375689119e420833f0feea7a41e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-59343"], "package": "tar-fs", "rule_id": "GHSA-vj76-c3g6-qr5v", "scanner": "osv-scanner", "correlation_key": "vuln|tar-fs|CVE-2025-59343|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8cj5-5rvv-wf4v", "level": "error", "message": {"text": "tar-fs: GHSA-8cj5-5rvv-wf4v"}, "properties": {"repobilityId": 112225, "scanner": "osv-scanner", "fingerprint": "34af21000ffcb13895ec80b18902d135577b525745f0e6bee794dd61721d48b4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-48387"], "package": "tar-fs", "rule_id": "GHSA-8cj5-5rvv-wf4v", "scanner": "osv-scanner", "correlation_key": "vuln|tar-fs|CVE-2025-48387|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r6q2-hw4h-h46w", "level": "error", "message": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "properties": {"repobilityId": 112224, "scanner": "osv-scanner", "fingerprint": "a506cfec32bc23a52abb3358a13699dbb757b022e3c233283203353a8826b593", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23950"], "package": "tar", "rule_id": "GHSA-r6q2-hw4h-h46w", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23950|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qffp-2rhf-9h96", "level": "error", "message": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "properties": {"repobilityId": 112223, "scanner": "osv-scanner", "fingerprint": "f8fa987aa9acadbb491ed96885533ab55d2a0afc9f4623918e86fa3756ca851f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-29786"], "package": "tar", "rule_id": "GHSA-qffp-2rhf-9h96", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-29786|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9ppj-qmqm-q256", "level": "error", "message": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "properties": {"repobilityId": 112222, "scanner": "osv-scanner", "fingerprint": "69b2c0b2d95567c9d3ec0e13212c39d24902dceb82922feb24047ba7dfb846b6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-31802"], "package": "tar", "rule_id": "GHSA-9ppj-qmqm-q256", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-31802|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8qq5-rm4j-mr97", "level": "error", "message": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "properties": {"repobilityId": 112221, "scanner": "osv-scanner", "fingerprint": "4f89d9b810881688457b80c49ab868f006943a84374041c9ede83f89d8996e2f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23745"], "package": "tar", "rule_id": "GHSA-8qq5-rm4j-mr97", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23745|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-83g3-92jg-28cx", "level": "error", "message": {"text": "tar: GHSA-83g3-92jg-28cx"}, "properties": {"repobilityId": 112220, "scanner": "osv-scanner", "fingerprint": "f024e3a8dade0f899aad4e013def341d786ed8b27d0ff31b6c56f7767e17e900", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26960"], "package": "tar", "rule_id": "GHSA-83g3-92jg-28cx", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-26960|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-34x7-hfp2-rc4v", "level": "error", "message": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "properties": {"repobilityId": 112219, "scanner": "osv-scanner", "fingerprint": "b6245b99f855ef4f5327cea1040dc6abd2e19916475c6aa3696f274c7c921329", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24842"], "package": "tar", "rule_id": "GHSA-34x7-hfp2-rc4v", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-24842|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 112216, "scanner": "osv-scanner", "fingerprint": "de4935b665c57173b6330e6fb3d06a59e8b21f8a73cc30ee4bd8c133ec29eb0f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mw96-cpmx-2vgc", "level": "error", "message": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "properties": {"repobilityId": 112215, "scanner": "osv-scanner", "fingerprint": "0425e8b734fe5759a8789ed8ef46f76963f44ca5145876702e82443bdd19a5ab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27606"], "package": "rollup", "rule_id": "GHSA-mw96-cpmx-2vgc", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2026-27606|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jvwf-75h9-cwgg", "level": "error", "message": {"text": "protobufjs: GHSA-jvwf-75h9-cwgg"}, "properties": {"repobilityId": 112209, "scanner": "osv-scanner", "fingerprint": "b4f545775b6e58b23e03fb12f84beaf84ea34fd3563c6adaf1077d5fa008d283", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44290"], "package": "protobufjs", "rule_id": "GHSA-jvwf-75h9-cwgg", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44290|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-75px-5xx7-5xc7", "level": "error", "message": {"text": "protobufjs: GHSA-75px-5xx7-5xc7"}, "properties": {"repobilityId": 112206, "scanner": "osv-scanner", "fingerprint": "d392bcd6ab67ac26916d5f86aefffca7e238815dcc3d8ee00a98f67511d8f3cf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44291"], "package": "protobufjs", "rule_id": "GHSA-75px-5xx7-5xc7", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44291|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-685m-2w69-288q", "level": "error", "message": {"text": "protobufjs: GHSA-685m-2w69-288q"}, "properties": {"repobilityId": 112205, "scanner": "osv-scanner", "fingerprint": "3677c9fc441fe6ba6b5404f9f6e073f93b9e53ad987ce7ec1aca472ffe800200", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44289"], "package": "protobufjs", "rule_id": "GHSA-685m-2w69-288q", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44289|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-66ff-xgx4-vchm", "level": "error", "message": {"text": "protobufjs: GHSA-66ff-xgx4-vchm"}, "properties": {"repobilityId": 112204, "scanner": "osv-scanner", "fingerprint": "ad79854e3d9cc2e17279d1526514df2935b3e5fcb4a62c34fa9dca9bfc7e444b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44293"], "package": "protobufjs", "rule_id": "GHSA-66ff-xgx4-vchm", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44293|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 112201, "scanner": "osv-scanner", "fingerprint": "a3dd2390244022d96de63689cdd673fb906d1165f495d6a42a0980e956db632d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rhx6-c78j-4q9w", "level": "error", "message": {"text": "path-to-regexp: GHSA-rhx6-c78j-4q9w"}, "properties": {"repobilityId": 112199, "scanner": "osv-scanner", "fingerprint": "bb29ea2b0c126b076f242eb56cea4b49f6b112670e22db444f3d7ab2d4ddc6a4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-52798"], "package": "path-to-regexp", "rule_id": "GHSA-rhx6-c78j-4q9w", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2024-52798|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-37ch-88jc-xwx2", "level": "error", "message": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "properties": {"repobilityId": 112198, "scanner": "osv-scanner", "fingerprint": "5f84f52bbcd46db66c79dfd59714ac90c668d089fbb31ecd1c685bce826e6c9c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4867"], "package": "path-to-regexp", "rule_id": "GHSA-37ch-88jc-xwx2", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4867|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rcmh-qjqh-p98v", "level": "error", "message": {"text": "nodemailer: GHSA-rcmh-qjqh-p98v"}, "properties": {"repobilityId": 112195, "scanner": "osv-scanner", "fingerprint": "81ccc0f198974374ff5a970c5f03506bd4ad2d9c0b3ecf9f71629f4452959ea4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-14874"], "package": "nodemailer", "rule_id": "GHSA-rcmh-qjqh-p98v", "scanner": "osv-scanner", "correlation_key": "vuln|nodemailer|CVE-2025-14874|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q67f-28xg-22rw", "level": "error", "message": {"text": "node-forge: GHSA-q67f-28xg-22rw"}, "properties": {"repobilityId": 112192, "scanner": "osv-scanner", "fingerprint": "a69db64dde57e37f7dce01118e6ddc618411910f6d20e61e2200dfd33f8f982e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33895"], "package": "node-forge", "rule_id": "GHSA-q67f-28xg-22rw", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33895|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ppp5-5v6c-4jwp", "level": "error", "message": {"text": "node-forge: GHSA-ppp5-5v6c-4jwp"}, "properties": {"repobilityId": 112191, "scanner": "osv-scanner", "fingerprint": "678f289e9900c57e676593d804de0a138b236439c6c97c2d2e4d4239b16dfcfa", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33894"], "package": "node-forge", "rule_id": "GHSA-ppp5-5v6c-4jwp", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33894|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5m6q-g25r-mvwx", "level": "error", "message": {"text": "node-forge: GHSA-5m6q-g25r-mvwx"}, "properties": {"repobilityId": 112189, "scanner": "osv-scanner", "fingerprint": "dc5fa214bdc6d63d473f50f22af42dea35347f5fb1cf540d539cfe46604ac6da", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33891"], "package": "node-forge", "rule_id": "GHSA-5m6q-g25r-mvwx", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33891|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5gfm-wpxj-wjgq", "level": "error", "message": {"text": "node-forge: GHSA-5gfm-wpxj-wjgq"}, "properties": {"repobilityId": 112188, "scanner": "osv-scanner", "fingerprint": "37801c7f7d41e93aee859018f0d1a1c4846220b2d52b16a3ee24c8dbb5c5ab1c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-12816"], "package": "node-forge", "rule_id": "GHSA-5gfm-wpxj-wjgq", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-12816|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-554w-wpv2-vw27", "level": "error", "message": {"text": "node-forge: GHSA-554w-wpv2-vw27"}, "properties": {"repobilityId": 112187, "scanner": "osv-scanner", "fingerprint": "8812c16a4e42dd19d361ca520f98bbaf875b31b039c35da8ded934aa4337f617", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66031"], "package": "node-forge", "rule_id": "GHSA-554w-wpv2-vw27", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2025-66031|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2328-f5f3-gj25", "level": "error", "message": {"text": "node-forge: GHSA-2328-f5f3-gj25"}, "properties": {"repobilityId": 112186, "scanner": "osv-scanner", "fingerprint": "541e84349945fccc3e4ec79e0a4d02d9c0e7ba223c81a229c94604f1bc507cf5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33896"], "package": "node-forge", "rule_id": "GHSA-2328-f5f3-gj25", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33896|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 112185, "scanner": "osv-scanner", "fingerprint": "c3482c8b051b710219b686b962c8edfcc83babb0e1e54a2b470ae7782dd0b574", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 112184, "scanner": "osv-scanner", "fingerprint": "2fd5e24a94dfd2116cfc5d9aeb4e4f584669c9b76d1795010331a7b69b3682a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 112183, "scanner": "osv-scanner", "fingerprint": "af7663e4c51288986bfb4927d06e33aa650fed364bb14d31804c3d4da5638193", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 112179, "scanner": "osv-scanner", "fingerprint": "853deeac541f0dc49600a5a4216f851e15bffd93ce8be267a82d13637ceb9e7d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8cpq-38p9-67gx", "level": "error", "message": {"text": "kysely: GHSA-8cpq-38p9-67gx"}, "properties": {"repobilityId": 112177, "scanner": "osv-scanner", "fingerprint": "000e2f068cd6454c0831846c9b4fa0e8586b3137f1266e7e9b9723a17ce4c47b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33468"], "package": "kysely", "rule_id": "GHSA-8cpq-38p9-67gx", "scanner": "osv-scanner", "correlation_key": "vuln|kysely|CVE-2026-33468|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-869p-cjfg-cm3x", "level": "error", "message": {"text": "jws: GHSA-869p-cjfg-cm3x"}, "properties": {"repobilityId": 112176, "scanner": "osv-scanner", "fingerprint": "727fcd5673fcc6c1b67b98e67bbc838dade16b9a5463bfbdf6b667daae8cde7a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-65945"], "package": "jws", "rule_id": "GHSA-869p-cjfg-cm3x", "scanner": "osv-scanner", "correlation_key": "vuln|jws|CVE-2025-65945|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m5qc-5hw7-8vg7", "level": "error", "message": {"text": "image-size: GHSA-m5qc-5hw7-8vg7"}, "properties": {"repobilityId": 112173, "scanner": "osv-scanner", "fingerprint": "6b6a262b1da57928e87c990ed7a34a0a0449e11614302e8777d483900a0d2f08", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "image-size", "rule_id": "GHSA-m5qc-5hw7-8vg7", "scanner": "osv-scanner", "correlation_key": "vuln|image-size|GHSA-M5QC-5HW7-8VG7|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c7qv-q95q-8v27", "level": "error", "message": {"text": "http-proxy-middleware: GHSA-c7qv-q95q-8v27"}, "properties": {"repobilityId": 112171, "scanner": "osv-scanner", "fingerprint": "2cf99c117618b64d077c412d1201c10c292a3ef6bbda29e13390ea05eccc3273", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-21536"], "package": "http-proxy-middleware", "rule_id": "GHSA-c7qv-q95q-8v27", "scanner": "osv-scanner", "correlation_key": "vuln|http-proxy-middleware|CVE-2024-21536|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xjpj-3mr7-gcpf", "level": "error", "message": {"text": "handlebars: GHSA-xjpj-3mr7-gcpf"}, "properties": {"repobilityId": 112168, "scanner": "osv-scanner", "fingerprint": "24ba3e0cc9cef82237817206aeed468834465fd459b16420bb67cc61a681a8ac", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33941"], "package": "handlebars", "rule_id": "GHSA-xjpj-3mr7-gcpf", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33941|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xhpv-hc6g-r9c6", "level": "error", "message": {"text": "handlebars: GHSA-xhpv-hc6g-r9c6"}, "properties": {"repobilityId": 112167, "scanner": "osv-scanner", "fingerprint": "10d6b52a4d44532c79b9bafe359015930587a7e16fbbab09b528c0b860d1ad02", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33940"], "package": "handlebars", "rule_id": "GHSA-xhpv-hc6g-r9c6", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33940|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9cx6-37pm-9jff", "level": "error", "message": {"text": "handlebars: GHSA-9cx6-37pm-9jff"}, "properties": {"repobilityId": 112166, "scanner": "osv-scanner", "fingerprint": "ce9a0820457f11d7c2e22ef7f075232723135b46e0fa5f339e31671e43b99355", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33939"], "package": "handlebars", "rule_id": "GHSA-9cx6-37pm-9jff", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33939|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3mfm-83xf-c92r", "level": "error", "message": {"text": "handlebars: GHSA-3mfm-83xf-c92r"}, "properties": {"repobilityId": 112163, "scanner": "osv-scanner", "fingerprint": "bd8e1ad0e6b1841135a2cb8997374a71a1df7a2ac3600a33b76c596543096f07", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33938"], "package": "handlebars", "rule_id": "GHSA-3mfm-83xf-c92r", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33938|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5j98-mcp5-4vw2", "level": "error", "message": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "properties": {"repobilityId": 112158, "scanner": "osv-scanner", "fingerprint": "eb4e2489dccfcd558471ee06a12a3834967a0dcf3de2afa6a148d01c6659b4de", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64756"], "package": "glob", "rule_id": "GHSA-5j98-mcp5-4vw2", "scanner": "osv-scanner", "correlation_key": "vuln|glob|CVE-2025-64756|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rf6f-7fwh-wjgh", "level": "error", "message": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "properties": {"repobilityId": 112156, "scanner": "osv-scanner", "fingerprint": "bb0508d8b81791b93a087ab900f213d85cb4d8a9469875be9a0c401a10ba6490", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33228"], "package": "flatted", "rule_id": "GHSA-rf6f-7fwh-wjgh", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-33228|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-25h7-pfq9-p65f", "level": "error", "message": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "properties": {"repobilityId": 112155, "scanner": "osv-scanner", "fingerprint": "68dd2c69540d2eac4711f2087ccd7176bb1037726ae0451ddfe3dcae14fc6d75", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32141"], "package": "flatted", "rule_id": "GHSA-25h7-pfq9-p65f", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-32141|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8gc5-j5rx-235r", "level": "error", "message": {"text": "fast-xml-parser: GHSA-8gc5-j5rx-235r"}, "properties": {"repobilityId": 112149, "scanner": "osv-scanner", "fingerprint": "b98108478d87351d5dbad95b8011fa0339688e7d60bb1041d7f7381fffd10707", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33036"], "package": "fast-xml-parser", "rule_id": "GHSA-8gc5-j5rx-235r", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-26278|pnpm-lock.yaml", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-8gc5-j5rx-235r", "GHSA-jmr7-xgp7-cmfj"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["4f434800ae6dd79184330958e8997d2c750ee9a89dfa1b34dfc89541eb93c10a", "b98108478d87351d5dbad95b8011fa0339688e7d60bb1041d7f7381fffd10707"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5wm8-gmm8-39j9", "level": "error", "message": {"text": "fast-xml-builder: GHSA-5wm8-gmm8-39j9"}, "properties": {"repobilityId": 112148, "scanner": "osv-scanner", "fingerprint": "ddf76aac0a5d96374516c81e1aec16f2feda9a9023dd8cb1a67b92bd109d4673", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44665"], "package": "fast-xml-builder", "rule_id": "GHSA-5wm8-gmm8-39j9", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-builder|CVE-2026-44665|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 112147, "scanner": "osv-scanner", "fingerprint": "757ca37fe4ebddf5cdaa5c162265d6a31d93aef1fb513c46093294c58d5112ab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 112146, "scanner": "osv-scanner", "fingerprint": "25bb35258c39d7fb16dad079b84e7a9b4b5253e8dee49c1760d88494d1e449a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jjp3-mq3x-295m", "level": "error", "message": {"text": "electron: GHSA-jjp3-mq3x-295m"}, "properties": {"repobilityId": 112139, "scanner": "osv-scanner", "fingerprint": "c7bdcf326011d77dbea089366198a0fe571434e62bff8544c0e405522d2e255e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34770"], "package": "electron", "rule_id": "GHSA-jjp3-mq3x-295m", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34770|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9wfr-w7mm-pc7f", "level": "error", "message": {"text": "electron: GHSA-9wfr-w7mm-pc7f"}, "properties": {"repobilityId": 112135, "scanner": "osv-scanner", "fingerprint": "0870843efa8ece04d1b386700703d31fc96297490d8b38402cad9b9740fe9507", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34769"], "package": "electron", "rule_id": "GHSA-9wfr-w7mm-pc7f", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34769|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8337-3p73-46f4", "level": "error", "message": {"text": "electron: GHSA-8337-3p73-46f4"}, "properties": {"repobilityId": 112131, "scanner": "osv-scanner", "fingerprint": "c15c0932e513ef5dda7e1bc69518d064cd78f06c5f72b026ae12fcd1019eae91", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34771"], "package": "electron", "rule_id": "GHSA-8337-3p73-46f4", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34771|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-532v-xpq5-8h95", "level": "error", "message": {"text": "electron: GHSA-532v-xpq5-8h95"}, "properties": {"repobilityId": 112129, "scanner": "osv-scanner", "fingerprint": "b86868eafcb24f757e032c56ebda9241f317ebfc84f58a4e1394569f7e82af76", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34774"], "package": "electron", "rule_id": "GHSA-532v-xpq5-8h95", "scanner": "osv-scanner", "correlation_key": "vuln|electron|CVE-2026-34774|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-77vg-94rm-hx3p", "level": "error", "message": {"text": "devalue: GHSA-77vg-94rm-hx3p"}, "properties": {"repobilityId": 112125, "scanner": "osv-scanner", "fingerprint": "a60dfe0860d8352f1e32d22ef5503a6ab361743264ac828cdda7e9246d12e7c7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42570"], "package": "devalue", "rule_id": "GHSA-77vg-94rm-hx3p", "scanner": "osv-scanner", "correlation_key": "vuln|devalue|CVE-2026-42570|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-737v-mqg7-c878", "level": "error", "message": {"text": "defu: GHSA-737v-mqg7-c878"}, "properties": {"repobilityId": 112124, "scanner": "osv-scanner", "fingerprint": "af606e9886cffaeede5516b5c778494cf847acee018be87081ce5243df80140f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-35209"], "package": "defu", "rule_id": "GHSA-737v-mqg7-c878", "scanner": "osv-scanner", "correlation_key": "vuln|defu|CVE-2026-35209|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3xgq-45jj-v275", "level": "error", "message": {"text": "cross-spawn: GHSA-3xgq-45jj-v275"}, "properties": {"repobilityId": 112123, "scanner": "osv-scanner", "fingerprint": "1855d612cc7fdd9130ef42e526b76e7cf21a3a0a1ba38d62756b48f6e01b6cb5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-21538"], "package": "cross-spawn", "rule_id": "GHSA-3xgq-45jj-v275", "scanner": "osv-scanner", "correlation_key": "vuln|cross-spawn|CVE-2024-21538|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8qp-cvcw-x6jj", "level": "error", "message": {"text": "axios: GHSA-q8qp-cvcw-x6jj"}, "properties": {"repobilityId": 112114, "scanner": "osv-scanner", "fingerprint": "e05a9e20e8e6eac42a55f04c532fd02a6164709526de53afe458a59b40df2c90", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42264"], "package": "axios", "rule_id": "GHSA-q8qp-cvcw-x6jj", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42264|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pf86-5x62-jrwf", "level": "error", "message": {"text": "axios: GHSA-pf86-5x62-jrwf"}, "properties": {"repobilityId": 112113, "scanner": "osv-scanner", "fingerprint": "80cc3a6505b01b10a7b20169a3af0abed41a5dbf0b37fd0788b1584ea84ece88", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42033"], "package": "axios", "rule_id": "GHSA-pf86-5x62-jrwf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42033|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p92q-9vqr-4j8v", "level": "error", "message": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "properties": {"repobilityId": 112112, "scanner": "osv-scanner", "fingerprint": "58a2c93366db904dce2b18529ec6438c7b6662276cc08ba366c9dbb8da75998b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44487"], "package": "axios", "rule_id": "GHSA-p92q-9vqr-4j8v", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44487|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j5f8-grm9-p9fc", "level": "error", "message": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "properties": {"repobilityId": 112110, "scanner": "osv-scanner", "fingerprint": "76ef31d5e50af68a7b227abfb2969b95e29d545c8843b19cec014bc5f21366cb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44486"], "package": "axios", "rule_id": "GHSA-j5f8-grm9-p9fc", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44486|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hfxv-24rg-xrqf", "level": "error", "message": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "properties": {"repobilityId": 112109, "scanner": "osv-scanner", "fingerprint": "6b85258045487c1d7389ae9ef1e56cf0f588da1a6ae1c36173921999af94f33a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44496"], "package": "axios", "rule_id": "GHSA-hfxv-24rg-xrqf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44496|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-777c-7fjr-54vf", "level": "error", "message": {"text": "axios: GHSA-777c-7fjr-54vf"}, "properties": {"repobilityId": 112106, "scanner": "osv-scanner", "fingerprint": "013aee88a8f58faedaac34948a383435c196f3112f33129ef8a6775ff82d4923", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44488"], "package": "axios", "rule_id": "GHSA-777c-7fjr-54vf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44488|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6chq-wfr3-2hj9", "level": "error", "message": {"text": "axios: GHSA-6chq-wfr3-2hj9"}, "properties": {"repobilityId": 112105, "scanner": "osv-scanner", "fingerprint": "a2ff534710c7748202e16ff4c644afa1a0780f71b6984c137866443fb777192d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42035"], "package": "axios", "rule_id": "GHSA-6chq-wfr3-2hj9", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42035|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pjwm-pj3p-43mv", "level": "error", "message": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "properties": {"repobilityId": 112100, "scanner": "osv-scanner", "fingerprint": "b0f13c06fcb4459b7e3bff6ca566d21e96a17387f899e7c35ee73a66e3445940", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44492"], "package": "axios", "rule_id": "GHSA-pjwm-pj3p-43mv", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2025-62718|pnpm-lock.yaml", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-3p68-rc4w-qgx5", "GHSA-pjwm-pj3p-43mv", "GHSA-pmwg-cvhr-8vh7"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["4c465cf2235c9a91f67655de1f6a3cdcfe016f171dc192cb23e28bba41849dff", "a93c1a48543b96add25e86d18736baffb14dcb99b4f5fce4aa23d272e3996c64", "b0f13c06fcb4459b7e3bff6ca566d21e96a17387f899e7c35ee73a66e3445940"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3g43-6gmg-66jw", "level": "error", "message": {"text": "axios: GHSA-3g43-6gmg-66jw"}, "properties": {"repobilityId": 112099, "scanner": "osv-scanner", "fingerprint": "8e5f0874d25fffdec28985b4279fea4684b3d0ca634170ac15c603b6d73f0b9e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44495"], "package": "axios", "rule_id": "GHSA-3g43-6gmg-66jw", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44495|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-35jp-ww65-95wh", "level": "error", "message": {"text": "axios: GHSA-35jp-ww65-95wh"}, "properties": {"repobilityId": 112098, "scanner": "osv-scanner", "fingerprint": "519904d3f3573867e4ae00885ba2aa2c8be1c2653e958ef884dbbca2450d6316", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44494"], "package": "axios", "rule_id": "GHSA-35jp-ww65-95wh", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44494|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x6wf-f3px-wcqx", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx"}, "properties": {"repobilityId": 112095, "scanner": "osv-scanner", "fingerprint": "c0f892c139bfd4e3348f362e745baf38b56e6953910dde5f826a86b96dc17653", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41675"], "package": "@xmldom/xmldom", "rule_id": "GHSA-x6wf-f3px-wcqx", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41675|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wh4c-j3r5-mjhp", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp"}, "properties": {"repobilityId": 112094, "scanner": "osv-scanner", "fingerprint": "db94dcf07b884daf08ec926465070f7f756d1520f6dc5cc08d6c7aecc02215c2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34601"], "package": "@xmldom/xmldom", "rule_id": "GHSA-wh4c-j3r5-mjhp", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-34601|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j759-j44w-7fr8", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-j759-j44w-7fr8"}, "properties": {"repobilityId": 112093, "scanner": "osv-scanner", "fingerprint": "adbf58756e7176987a86c9d633b6754fa7e991a96c1763554be2ed2b350b3ff6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41672"], "package": "@xmldom/xmldom", "rule_id": "GHSA-j759-j44w-7fr8", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41672|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f6ww-3ggp-fr8h", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h"}, "properties": {"repobilityId": 112092, "scanner": "osv-scanner", "fingerprint": "a8991a924dfa5b75da05017304e4acd96f5d5b83ea10960fc2ad6db74c9a17c8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41674"], "package": "@xmldom/xmldom", "rule_id": "GHSA-f6ww-3ggp-fr8h", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41674|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2v35-w6hq-6mfw", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw"}, "properties": {"repobilityId": 112091, "scanner": "osv-scanner", "fingerprint": "611a284af499c2f75b689db4a9cf087c74833ffac8b9963a5d0d14fbde1eedee", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41673"], "package": "@xmldom/xmldom", "rule_id": "GHSA-2v35-w6hq-6mfw", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41673|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jg4p-7fhp-p32p", "level": "error", "message": {"text": "@hapi/content: GHSA-jg4p-7fhp-p32p"}, "properties": {"repobilityId": 112087, "scanner": "osv-scanner", "fingerprint": "c45a019c3ffdb6b2fc231606052adcfe5f125758f0eacb86241ef4d56a64dfba", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-35213"], "package": "@hapi/content", "rule_id": "GHSA-jg4p-7fhp-p32p", "scanner": "osv-scanner", "correlation_key": "vuln|hapi/content|CVE-2026-35213|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-36hh-x5p5-jgc8", "level": "error", "message": {"text": "@hapi/content: GHSA-36hh-x5p5-jgc8"}, "properties": {"repobilityId": 112086, "scanner": "osv-scanner", "fingerprint": "dff8f5ace555fc1a6e475489435de9c79d9203a726d0849234ec749e148f43bd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44974"], "package": "@hapi/content", "rule_id": "GHSA-36hh-x5p5-jgc8", "scanner": "osv-scanner", "correlation_key": "vuln|hapi/content|CVE-2026-44974|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5039", "level": "error", "message": {"text": "stdlib: GO-2026-5039"}, "properties": {"repobilityId": 112085, "scanner": "osv-scanner", "fingerprint": "a83e627c146ec5ae6354a209b08e46b90552fb3a55f244faf312d2b6a843ac55", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42507", "CVE-2026-42507"], "package": "stdlib", "rule_id": "GO-2026-5039", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42507|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5038", "level": "error", "message": {"text": "stdlib: GO-2026-5038"}, "properties": {"repobilityId": 112084, "scanner": "osv-scanner", "fingerprint": "26372ffc012a6e2f27ce548bd31a794161794f6db76480f81788e01849ca8dcf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42504", "CVE-2026-42504"], "package": "stdlib", "rule_id": "GO-2026-5038", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42504|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5037", "level": "error", "message": {"text": "stdlib: GO-2026-5037"}, "properties": {"repobilityId": 112083, "scanner": "osv-scanner", "fingerprint": "7541d4dba5fe7d349432ff80e6bd46b2c38dd49496f069ec8dc88c96fdceac42", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-27145", "CVE-2026-27145"], "package": "stdlib", "rule_id": "GO-2026-5037", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-27145|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4986", "level": "error", "message": {"text": "stdlib: GO-2026-4986"}, "properties": {"repobilityId": 112082, "scanner": "osv-scanner", "fingerprint": "55d3beed68a8f5e42f18723efe918ad21fc61328525c12c89ad625c5d23b7d9a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39820", "CVE-2026-39820"], "package": "stdlib", "rule_id": "GO-2026-4986", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39820|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4982", "level": "error", "message": {"text": "stdlib: GO-2026-4982"}, "properties": {"repobilityId": 112081, "scanner": "osv-scanner", "fingerprint": "06597abb53f8beb41690d7c819ff1d3e8a2462b14165f2aec6adf584ae5391fe", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39823", "CVE-2026-39823"], "package": "stdlib", "rule_id": "GO-2026-4982", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39823|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4981", "level": "error", "message": {"text": "stdlib: GO-2026-4981"}, "properties": {"repobilityId": 112080, "scanner": "osv-scanner", "fingerprint": "28de4e8cade658d2e44ab8fd3e29ba0bdfdf0b1eeb2ffec399deac5678b03a31", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-33811", "CVE-2026-33811"], "package": "stdlib", "rule_id": "GO-2026-4981", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-33811|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4980", "level": "error", "message": {"text": "stdlib: GO-2026-4980"}, "properties": {"repobilityId": 112079, "scanner": "osv-scanner", "fingerprint": "10ec7b10c93ff987796c913ebbfb76a710d8ed93bbbe45b13f6f0d10e2b211e6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39826", "CVE-2026-39826"], "package": "stdlib", "rule_id": "GO-2026-4980", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39826|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4977", "level": "error", "message": {"text": "stdlib: GO-2026-4977"}, "properties": {"repobilityId": 112078, "scanner": "osv-scanner", "fingerprint": "3620a62e00e33214f96ebc7312d23fec44851a9ee712599ee745845147c40e21", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42499", "CVE-2026-42499"], "package": "stdlib", "rule_id": "GO-2026-4977", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42499|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4976", "level": "error", "message": {"text": "stdlib: GO-2026-4976"}, "properties": {"repobilityId": 112077, "scanner": "osv-scanner", "fingerprint": "68c9ed164767bc1abc8d6a8706cf655bcaa445cc8f997e11de5c53701466a0a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39825", "CVE-2026-39825"], "package": "stdlib", "rule_id": "GO-2026-4976", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39825|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4971", "level": "error", "message": {"text": "stdlib: GO-2026-4971"}, "properties": {"repobilityId": 112076, "scanner": "osv-scanner", "fingerprint": "1a9b8779ea85b5b0ef026400c900b7f27dcd6628d9b6df9f442929c24844f89e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39836", "CVE-2026-39836"], "package": "stdlib", "rule_id": "GO-2026-4971", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39836|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4947", "level": "error", "message": {"text": "stdlib: GO-2026-4947"}, "properties": {"repobilityId": 112075, "scanner": "osv-scanner", "fingerprint": "6a2263e9fecc21871d7240174f9ea0f2519ea0ac23b3fc3ff0ed52e2c5b99602", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32280", "CVE-2026-32280"], "package": "stdlib", "rule_id": "GO-2026-4947", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32280|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4946", "level": "error", "message": {"text": "stdlib: GO-2026-4946"}, "properties": {"repobilityId": 112074, "scanner": "osv-scanner", "fingerprint": "9eee462c00c8456bd7d2d4badc7bf78d311924612882fb6fc2e47014d51e47a2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32281", "CVE-2026-32281"], "package": "stdlib", "rule_id": "GO-2026-4946", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32281|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4918", "level": "error", "message": {"text": "stdlib: GO-2026-4918"}, "properties": {"repobilityId": 112073, "scanner": "osv-scanner", "fingerprint": "b5a44e944ffd7c105aa62904a3469805e8033225279767b94a0d562437b7e9f6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-33814", "CVE-2026-33814"], "package": "stdlib", "rule_id": "GO-2026-4918", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-33814|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4870", "level": "error", "message": {"text": "stdlib: GO-2026-4870"}, "properties": {"repobilityId": 112072, "scanner": "osv-scanner", "fingerprint": "7a602b0215fccffc7bd6ea6495a41311331a53696d26e919d4c27e06e7dc1127", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32283", "CVE-2026-32283"], "package": "stdlib", "rule_id": "GO-2026-4870", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32283|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4869", "level": "error", "message": {"text": "stdlib: GO-2026-4869"}, "properties": {"repobilityId": 112071, "scanner": "osv-scanner", "fingerprint": "2616d3ca78cea03ffe2fd69591ac572a5c26c1a0f2d9b7251c276d1c7ef533e2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32288", "CVE-2026-32288"], "package": "stdlib", "rule_id": "GO-2026-4869", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32288|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4865", "level": "error", "message": {"text": "stdlib: GO-2026-4865"}, "properties": {"repobilityId": 112070, "scanner": "osv-scanner", "fingerprint": "99144fa7a438f5de339d05331016ab642fcdd56d3e34fcd10966c226dc703277", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32289", "CVE-2026-32289"], "package": "stdlib", "rule_id": "GO-2026-4865", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32289|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4864", "level": "error", "message": {"text": "stdlib: GO-2026-4864"}, "properties": {"repobilityId": 112069, "scanner": "osv-scanner", "fingerprint": "3eda3039016c3998065f2008f357040040a62205b6827640c36d1af597f1321e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-32282", "CVE-2026-32282"], "package": "stdlib", "rule_id": "GO-2026-4864", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-32282|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4603", "level": "error", "message": {"text": "stdlib: GO-2026-4603"}, "properties": {"repobilityId": 112068, "scanner": "osv-scanner", "fingerprint": "d7d3f84a2aefd06da14535bc5bd652521167fa18c1af035dad60fbeaaab718b4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-27142", "CVE-2026-27142"], "package": "stdlib", "rule_id": "GO-2026-4603", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-27142|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4602", "level": "error", "message": {"text": "stdlib: GO-2026-4602"}, "properties": {"repobilityId": 112067, "scanner": "osv-scanner", "fingerprint": "72fb48c374368b7b6746faae03f792b1fbfc30fa0ca49a9c6798f4728600e9be", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-27139", "CVE-2026-27139"], "package": "stdlib", "rule_id": "GO-2026-4602", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-27139|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4601", "level": "error", "message": {"text": "stdlib: GO-2026-4601"}, "properties": {"repobilityId": 112066, "scanner": "osv-scanner", "fingerprint": "a44cc08228f1d2907c99f8e158dface76fff075b40ff17af8f0b2c72ef35f74d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-25679", "CVE-2026-25679"], "package": "stdlib", "rule_id": "GO-2026-4601", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-25679|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4342", "level": "error", "message": {"text": "stdlib: GO-2026-4342"}, "properties": {"repobilityId": 112065, "scanner": "osv-scanner", "fingerprint": "5278430be17741e61400d1f30710c44ddd2ec4dbdf3e87b6ff60d0386927ed95", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61728", "CVE-2025-61728"], "package": "stdlib", "rule_id": "GO-2026-4342", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61728|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4341", "level": "error", "message": {"text": "stdlib: GO-2026-4341"}, "properties": {"repobilityId": 112064, "scanner": "osv-scanner", "fingerprint": "b15f19c3a93c4dbe48ec5dce4f897a4b0cc1804a795108b2290301d4b2a4d088", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61726", "CVE-2025-61726"], "package": "stdlib", "rule_id": "GO-2026-4341", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61726|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4340", "level": "error", "message": {"text": "stdlib: GO-2026-4340"}, "properties": {"repobilityId": 112063, "scanner": "osv-scanner", "fingerprint": "5fdcf088afd1d1512255dceef1dbf16199182fbd6c905f1f2602e05a2767df04", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61730", "CVE-2025-61730"], "package": "stdlib", "rule_id": "GO-2026-4340", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61730|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4337", "level": "error", "message": {"text": "stdlib: GO-2026-4337"}, "properties": {"repobilityId": 112062, "scanner": "osv-scanner", "fingerprint": "cce309486249674e847b44d5166efc9503259ae3b6eb4899b6e518afa40306d2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-68121", "CVE-2025-68121"], "package": "stdlib", "rule_id": "GO-2026-4337", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-68121|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4175", "level": "error", "message": {"text": "stdlib: GO-2025-4175"}, "properties": {"repobilityId": 112061, "scanner": "osv-scanner", "fingerprint": "1451c80f35b0899164a856594b8131a7dbe181b7fcf1e04f9e5627c91fbc785b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61727", "CVE-2025-61727"], "package": "stdlib", "rule_id": "GO-2025-4175", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61727|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4155", "level": "error", "message": {"text": "stdlib: GO-2025-4155"}, "properties": {"repobilityId": 112060, "scanner": "osv-scanner", "fingerprint": "f61e290522280d57b31ad4d3e4b1ad634809a6fcb83c544a5c73e36f89a1f1a2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61729", "CVE-2025-61729"], "package": "stdlib", "rule_id": "GO-2025-4155", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61729|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4015", "level": "error", "message": {"text": "stdlib: GO-2025-4015"}, "properties": {"repobilityId": 112059, "scanner": "osv-scanner", "fingerprint": "ed0a3973c0fa749d25a3a29ec0d042b62018010b09d9988c279fa1b03b53db68", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61724", "CVE-2025-61724"], "package": "stdlib", "rule_id": "GO-2025-4015", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61724|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4014", "level": "error", "message": {"text": "stdlib: GO-2025-4014"}, "properties": {"repobilityId": 112058, "scanner": "osv-scanner", "fingerprint": "1c5da88f89311fe3e0d4ca3c5bcf3fee82455fbf0637d840afeeef8e224e3f93", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58183", "CVE-2025-58183"], "package": "stdlib", "rule_id": "GO-2025-4014", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58183|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4013", "level": "error", "message": {"text": "stdlib: GO-2025-4013"}, "properties": {"repobilityId": 112057, "scanner": "osv-scanner", "fingerprint": "5525e27eeb74c5af76e1e938a8d07a793af27f2eeb33e65cf22e243f0014d625", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58188", "CVE-2025-58188"], "package": "stdlib", "rule_id": "GO-2025-4013", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58188|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4012", "level": "error", "message": {"text": "stdlib: GO-2025-4012"}, "properties": {"repobilityId": 112056, "scanner": "osv-scanner", "fingerprint": "789ab5700c0df2d86e95dba3cb69feab9bf7a5d2c906a6408fff440e3e02f2ea", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58186", "CVE-2025-58186"], "package": "stdlib", "rule_id": "GO-2025-4012", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58186|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4011", "level": "error", "message": {"text": "stdlib: GO-2025-4011"}, "properties": {"repobilityId": 112055, "scanner": "osv-scanner", "fingerprint": "3787f51453125abfc86f44a498517eb562d10ba89c1715559eed0589463f97fc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58185", "CVE-2025-58185"], "package": "stdlib", "rule_id": "GO-2025-4011", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58185|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4010", "level": "error", "message": {"text": "stdlib: GO-2025-4010"}, "properties": {"repobilityId": 112054, "scanner": "osv-scanner", "fingerprint": "6619eae742afe9811d2c58cf98521e0e5887009b7b0d77bbcd350f067171d39c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-47912", "CVE-2025-47912"], "package": "stdlib", "rule_id": "GO-2025-4010", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-47912|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4009", "level": "error", "message": {"text": "stdlib: GO-2025-4009"}, "properties": {"repobilityId": 112053, "scanner": "osv-scanner", "fingerprint": "c7131dfb85dbd427f287b5ecd77ebff08e7cabd52a24f6caa30257a0a22364d6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61723", "CVE-2025-61723"], "package": "stdlib", "rule_id": "GO-2025-4009", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61723|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4008", "level": "error", "message": {"text": "stdlib: GO-2025-4008"}, "properties": {"repobilityId": 112052, "scanner": "osv-scanner", "fingerprint": "9bb81c1794b76053af760b2b859c96f1db217da1c31e0ebea41bb484cd5fa47e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58189", "CVE-2025-58189"], "package": "stdlib", "rule_id": "GO-2025-4008", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58189|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4007", "level": "error", "message": {"text": "stdlib: GO-2025-4007"}, "properties": {"repobilityId": 112051, "scanner": "osv-scanner", "fingerprint": "6fbd9e9d19224c8aa99ec9f874889b008ed7580c9b5e277450916050f07dc7c7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-58187", "CVE-2025-58187"], "package": "stdlib", "rule_id": "GO-2025-4007", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-58187|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4006", "level": "error", "message": {"text": "stdlib: GO-2025-4006"}, "properties": {"repobilityId": 112050, "scanner": "osv-scanner", "fingerprint": "a2c54d7b47764090eb05f87beb521bde5a52154fe53a43225348488ed5e28e3d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2025-61725", "CVE-2025-61725"], "package": "stdlib", "rule_id": "GO-2025-4006", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2025-61725|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5030", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5030"}, "properties": {"repobilityId": 112048, "scanner": "osv-scanner", "fingerprint": "f56f13f5fd0d02e616781fb4e263264064c55d496b56f34e2e697db0a1750dd6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27136"], "package": "golang.org/x/net", "rule_id": "GO-2026-5030", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-27136|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5029", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5029"}, "properties": {"repobilityId": 112047, "scanner": "osv-scanner", "fingerprint": "346c97831be09b89603f8819967a1caf39f8f572a2d5dc5925a9ae0a6b98856e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25681"], "package": "golang.org/x/net", "rule_id": "GO-2026-5029", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-25681|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5028", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5028"}, "properties": {"repobilityId": 112046, "scanner": "osv-scanner", "fingerprint": "796445bee725d6616761216b224cb420e85017321d01a56e43bf03efe210c5f5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25680"], "package": "golang.org/x/net", "rule_id": "GO-2026-5028", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-25680|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5027", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5027"}, "properties": {"repobilityId": 112045, "scanner": "osv-scanner", "fingerprint": "acf4f4ae909e3489f7be9bc36808d846c836956d4a36bc26ba43890f213b1436", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42502"], "package": "golang.org/x/net", "rule_id": "GO-2026-5027", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-42502|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5026", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5026"}, "properties": {"repobilityId": 112044, "scanner": "osv-scanner", "fingerprint": "2a9be343e7c5c43785f4d36c5506f23f8b055fb0d461a84395ad634441be541a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39821"], "package": "golang.org/x/net", "rule_id": "GO-2026-5026", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-39821|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5025", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5025"}, "properties": {"repobilityId": 112043, "scanner": "osv-scanner", "fingerprint": "be62fe7df92442560f1a21cceb16f1ca23f3e9cbe2e00b9699b8ae286a0012ce", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42506"], "package": "golang.org/x/net", "rule_id": "GO-2026-5025", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-42506|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4918", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-4918"}, "properties": {"repobilityId": 112042, "scanner": "osv-scanner", "fingerprint": "d07e75663319e62f27408375428863546ab8185771ef2447feb53879555f4916", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-33814", "CVE-2026-33814"], "package": "golang.org/x/net", "rule_id": "GO-2026-4918", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-33814|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5032", "level": "error", "message": {"text": "golang.org/x/image: GO-2026-5032"}, "properties": {"repobilityId": 112041, "scanner": "osv-scanner", "fingerprint": "0c775caf0e9b5d80077a020cff5c96d5cd6efbd3197e928f8b8fa1f0cd633b68", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46599"], "package": "golang.org/x/image", "rule_id": "GO-2026-5032", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/image|CVE-2026-46599|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5031", "level": "error", "message": {"text": "golang.org/x/image: GO-2026-5031"}, "properties": {"repobilityId": 112040, "scanner": "osv-scanner", "fingerprint": "b66bc87e9087f2fbb63a1b7be38f59ce4d0fef8e698ea3827a99ca094a92efc9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42500"], "package": "golang.org/x/image", "rule_id": "GO-2026-5031", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/image|CVE-2026-42500|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4962", "level": "error", "message": {"text": "golang.org/x/image: GO-2026-4962"}, "properties": {"repobilityId": 112039, "scanner": "osv-scanner", "fingerprint": "822a57faa7f99ac28d4d56ee8f6c7af481eba4c6694557077d2ca65f76e6dd30", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33812"], "package": "golang.org/x/image", "rule_id": "GO-2026-4962", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/image|CVE-2026-33812|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4961", "level": "error", "message": {"text": "golang.org/x/image: GO-2026-4961"}, "properties": {"repobilityId": 112038, "scanner": "osv-scanner", "fingerprint": "35ac65516859eec35f3a8eef22bf9aa01a062e3d500fc70abb39277c8b12a609", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33813"], "package": "golang.org/x/image", "rule_id": "GO-2026-4961", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/image|CVE-2026-33813|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4815", "level": "error", "message": {"text": "golang.org/x/image: GO-2026-4815"}, "properties": {"repobilityId": 112037, "scanner": "osv-scanner", "fingerprint": "5d5a65fb18aca0b7beef0e3cfd85223c935c07c53dd202b4c362cadfe6fd0089", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33809", "GHSA-44p7-9xx4-hf2g"], "package": "golang.org/x/image", "rule_id": "GO-2026-4815", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/image|CVE-2026-33809|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-44p7-9xx4-hf2g", "GO-2026-4815"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["56de9df9dee2095792a03095fbbf638d29eabe8c704fc25e9c74d54e2b91d4c4", "5d5a65fb18aca0b7beef0e3cfd85223c935c07c53dd202b4c362cadfe6fd0089"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5033", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5033"}, "properties": {"repobilityId": 112036, "scanner": "osv-scanner", "fingerprint": "ad1d47a6aef958448f22a42c2d60392dc7008e25932b619f84e66221eb131e95", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46598"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5033", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46598|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5023", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5023"}, "properties": {"repobilityId": 112035, "scanner": "osv-scanner", "fingerprint": "2d612844c17f0f3569717978b60331059540fefc1c2346e38678f12228b2ebdb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46595"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5023", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46595|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5021", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5021"}, "properties": {"repobilityId": 112034, "scanner": "osv-scanner", "fingerprint": "9cfea8adee448a2428e663f481c352e77e2cd449655562d5b118efedfb7da4f8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42508"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5021", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-42508|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5020", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5020"}, "properties": {"repobilityId": 112033, "scanner": "osv-scanner", "fingerprint": "93b646b3920c3a2193a1efdebfdfa5196ce3475c1dc5bae6355a6e1f9cbf460a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39834"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5020", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39834|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5019", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5019"}, "properties": {"repobilityId": 112032, "scanner": "osv-scanner", "fingerprint": "345537a037a5b3177ae140a9e9c405ec64da8434ead8931918ec7573a6ce20b3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39831"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5019", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39831|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5018", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5018"}, "properties": {"repobilityId": 112031, "scanner": "osv-scanner", "fingerprint": "949f77a9611832376c508d55bf01659a712274ac105d24e504e15dd5e1dbf16f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39829"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5018", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39829|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5017", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5017"}, "properties": {"repobilityId": 112030, "scanner": "osv-scanner", "fingerprint": "2930f2404722144c851cb9051c8ebf92002718de31c8d9fd7a648ca0f2ef6ada", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39830"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5017", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39830|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5016", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5016"}, "properties": {"repobilityId": 112029, "scanner": "osv-scanner", "fingerprint": "ac67bbb6c13f69fe38c8bbe16cf8fe7e2ed0ab66e0c5b15dba53f20834fe3d86", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39827"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5016", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39827|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5015", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5015"}, "properties": {"repobilityId": 112028, "scanner": "osv-scanner", "fingerprint": "2e502398ad2ca483c07bc43556f4c4eb205c7761c2c9cd89d2d1aee4f087438f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39835"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5015", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39835|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5014", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5014"}, "properties": {"repobilityId": 112027, "scanner": "osv-scanner", "fingerprint": "8daae6fef532b43e67fa01a55acbd01bab03899e2f5d4ad247bee8e8442024dd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39828"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5014", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39828|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5013", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5013"}, "properties": {"repobilityId": 112026, "scanner": "osv-scanner", "fingerprint": "ccaa102abe73278dc6503207bd926859d7ba8955ec415d747a72b6b58b6a3dc3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46597"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5013", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46597|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5006", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5006"}, "properties": {"repobilityId": 112025, "scanner": "osv-scanner", "fingerprint": "8b88451b530e190692c439835073029a47d5722b48b6a00ddb5e3369824775a2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39832"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5006", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39832|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5005", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5005"}, "properties": {"repobilityId": 112024, "scanner": "osv-scanner", "fingerprint": "ae98cdae0aac80f7b5a30a91f9180936ed79f348030d056d429d20e8b082f033", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39833"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5005", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39833|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hfvc-g4fc-pqhx", "level": "error", "message": {"text": "go.opentelemetry.io/otel/sdk: GHSA-hfvc-g4fc-pqhx"}, "properties": {"repobilityId": 112023, "scanner": "osv-scanner", "fingerprint": "03cfdbec74627f80651a23f7e9970bc8324a028e3a43e4aa179de7d1323e16a0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39883"], "package": "go.opentelemetry.io/otel/sdk", "rule_id": "GHSA-hfvc-g4fc-pqhx", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-39883|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4394", "level": "error", "message": {"text": "go.opentelemetry.io/otel/sdk: GO-2026-4394"}, "properties": {"repobilityId": 112022, "scanner": "osv-scanner", "fingerprint": "caa16edd1536be5e87325cb456a213c61f0a93249af32f7cbaa4d11ce76ecd8d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-24051", "GHSA-9h8m-3fm2-qjrq"], "package": "go.opentelemetry.io/otel/sdk", "rule_id": "GO-2026-4394", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-24051|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-9h8m-3fm2-qjrq", "GO-2026-4394"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["21fbcc03e9b5a5f01b6da5b909b25fc02d4a558858b4e812cbcdf1b953a98e99", "caa16edd1536be5e87325cb456a213c61f0a93249af32f7cbaa4d11ce76ecd8d"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4985", "level": "error", "message": {"text": "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: GO-2026-4985"}, "properties": {"repobilityId": 112021, "scanner": "osv-scanner", "fingerprint": "6fb35f5b4b576aba0a0d17c8669a6a8e6edce052dffa931cb68edd174506aaf1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-39882", "GHSA-w8rr-5gcm-pp58"], "package": "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp", "rule_id": "GO-2026-4985", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-39882|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-w8rr-5gcm-pp58", "GO-2026-4985"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["2c89746b6522788ce6b5cae4de634f28f44d39dd7cf8d8e49924c3c101ec52d1", "6fb35f5b4b576aba0a0d17c8669a6a8e6edce052dffa931cb68edd174506aaf1"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh2q-q3fh-2475", "level": "error", "message": {"text": "go.opentelemetry.io/otel: GHSA-mh2q-q3fh-2475"}, "properties": {"repobilityId": 112020, "scanner": "osv-scanner", "fingerprint": "064896838da2337f5de42b9052e70ba0bf9ff625bb5109bdf2495a450b1cd32d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-29181"], "package": "go.opentelemetry.io/otel", "rule_id": "GHSA-mh2q-q3fh-2475", "scanner": "osv-scanner", "correlation_key": "vuln|go.opentelemetry.io/otel|CVE-2026-29181|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3748", "level": "error", "message": {"text": "github.com/pion/interceptor: GO-2025-3748"}, "properties": {"repobilityId": 112019, "scanner": "osv-scanner", "fingerprint": "6bfa6c2019320262cebfc248676b4f5791093cd80abcc413807002736c7e2fab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-49140", "GHSA-f26w-gh5m-qq77"], "package": "github.com/pion/interceptor", "rule_id": "GO-2025-3748", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/pion/interceptor|CVE-2025-49140|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-f26w-gh5m-qq77", "GO-2025-3748"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["6bfa6c2019320262cebfc248676b4f5791093cd80abcc413807002736c7e2fab", "933611142c6c698a404ce6e6a7bae8716bc94c5bb58e5ecc0ceb43d3cce7ef93"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4771", "level": "error", "message": {"text": "github.com/jackc/pgx/v5: GO-2026-4771"}, "properties": {"repobilityId": 112015, "scanner": "osv-scanner", "fingerprint": "1a16bd6ffacb08b49ebcbcf3fb6f23270129171b846ac0377a62c6a255e53985", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33815", "GHSA-xgrm-4fwx-7qm8"], "package": "github.com/jackc/pgx/v5", "rule_id": "GO-2026-4771", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/jackc/pgx/v5|CVE-2026-33815|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3900", "level": "error", "message": {"text": "github.com/go-viper/mapstructure/v2: GO-2025-3900"}, "properties": {"repobilityId": 112012, "scanner": "osv-scanner", "fingerprint": "b2aa802bb8e9cacabe469e1821e28090402f95514a9d5a4a00d08dd8aea8ddfe", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-11065", "GHSA-2464-8j7c-4cjm"], "package": "github.com/go-viper/mapstructure/v2", "rule_id": "GO-2025-3900", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2025-11065|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-2464-8j7c-4cjm", "GO-2025-3900"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["b2aa802bb8e9cacabe469e1821e28090402f95514a9d5a4a00d08dd8aea8ddfe", "ba3918f6b5f6f838a57240c572e45314391a7d4393f2e2f25e019fa8b32b887e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3787", "level": "error", "message": {"text": "github.com/go-viper/mapstructure/v2: GO-2025-3787"}, "properties": {"repobilityId": 112011, "scanner": "osv-scanner", "fingerprint": "22fa4366a60adb5d056d141ea3dd3b60b2530f8ccb9402d43526ec8a617070bd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-fv92-fjc5-jj9h"], "package": "github.com/go-viper/mapstructure/v2", "rule_id": "GO-2025-3787", "scanner": "osv-scanner", "correlation_key": "vuln|token|GHSA-FV92-FJC5-JJ9H|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-fv92-fjc5-jj9h", "GO-2025-3787"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["22fa4366a60adb5d056d141ea3dd3b60b2530f8ccb9402d43526ec8a617070bd", "a734431844bd4fd57c0b24cec15c1090b2b0a0e50a830f84a805b94257bbf681"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4945", "level": "error", "message": {"text": "github.com/go-jose/go-jose/v4: GO-2026-4945"}, "properties": {"repobilityId": 112010, "scanner": "osv-scanner", "fingerprint": "3cc0e677211f964aea17d75d696a5b5c1d5cca13339093ceb37e2b2ee8d63bfc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34986", "GHSA-78h2-9frx-2jm8"], "package": "github.com/go-jose/go-jose/v4", "rule_id": "GO-2026-4945", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-34986|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-78h2-9frx-2jm8", "GO-2026-4945"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3cc0e677211f964aea17d75d696a5b5c1d5cca13339093ceb37e2b2ee8d63bfc", "7f5a0f7c21f4fef9848ba8ce28b288b0be2c19bf86e055b5f87e393548fc076b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-389r-gv7p-r3rp", "level": "error", "message": {"text": "github.com/go-git/go-git/v5: GHSA-389r-gv7p-r3rp"}, "properties": {"repobilityId": 112005, "scanner": "osv-scanner", "fingerprint": "95c9cb2d7a99f336e1bbef247d0da05479eef609012ca41a68cc65bab2a03c00", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45022"], "package": "github.com/go-git/go-git/v5", "rule_id": "GHSA-389r-gv7p-r3rp", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/go-git/go-git/v5|CVE-2026-45022|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4910", "level": "error", "message": {"text": "github.com/go-git/go-git/v5: GO-2026-4910"}, "properties": {"repobilityId": 112004, "scanner": "osv-scanner", "fingerprint": "d47ff45d5e10a55a7aa982cb3d8ca9f333e59d4cbd8fe49118a82657913696df", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34165", "GHSA-jhf3-xxhw-2wpp"], "package": "github.com/go-git/go-git/v5", "rule_id": "GO-2026-4910", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/go-git/go-git/v5|CVE-2026-34165|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-jhf3-xxhw-2wpp", "GO-2026-4910"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["c4e4d862ac086c616ca3162564107ad0bef812c9a9bfebb212f36df2509c0c4f", "d47ff45d5e10a55a7aa982cb3d8ca9f333e59d4cbd8fe49118a82657913696df"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4909", "level": "error", "message": {"text": "github.com/go-git/go-git/v5: GO-2026-4909"}, "properties": {"repobilityId": 112003, "scanner": "osv-scanner", "fingerprint": "42020aebc7f9807a4272115d455f34efda411ea70f1278ce370ed5668ca34b9c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33762", "GHSA-gm2x-2g9h-ccm8"], "package": "github.com/go-git/go-git/v5", "rule_id": "GO-2026-4909", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/go-git/go-git/v5|CVE-2026-33762|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-gm2x-2g9h-ccm8", "GO-2026-4909"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["17aea8278cd119b9614b0fda53b2d299598e22b59e47c29c9862672cc650d73d", "42020aebc7f9807a4272115d455f34efda411ea70f1278ce370ed5668ca34b9c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4473", "level": "error", "message": {"text": "github.com/go-git/go-git/v5: GO-2026-4473"}, "properties": {"repobilityId": 112002, "scanner": "osv-scanner", "fingerprint": "09149d077959fe25ad41c387909c989a98e7d2941a5fd141ed3d763ac39bc85a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25934", "GHSA-37cx-329c-33x3"], "package": "github.com/go-git/go-git/v5", "rule_id": "GO-2026-4473", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/go-git/go-git/v5|CVE-2026-25934|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-37cx-329c-33x3", "GO-2026-4473"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["09149d077959fe25ad41c387909c989a98e7d2941a5fd141ed3d763ac39bc85a", "719ae08a110cb4382c5fecadef16fb258257881a3f99770c8162e8ebb8e27632"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3367", "level": "error", "message": {"text": "github.com/go-git/go-git/v5: GO-2025-3367"}, "properties": {"repobilityId": 112000, "scanner": "osv-scanner", "fingerprint": "76f5366d0c821560ffdb2834e02fb6396a6ff3664308344f79773683dc12d43b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-21614", "GHSA-r9px-m959-cxf4"], "package": "github.com/go-git/go-git/v5", "rule_id": "GO-2025-3367", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/go-git/go-git/v5|CVE-2025-21614|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r9px-m959-cxf4", "GO-2025-3367"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["31138605dbf8caebf5e68e0e03fc6580282c635d8db881dcc79a5f902a0e8472", "76f5366d0c821560ffdb2834e02fb6396a6ff3664308344f79773683dc12d43b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qw64-3x98-g7q2", "level": "error", "message": {"text": "github.com/go-git/go-billy/v5: GHSA-qw64-3x98-g7q2"}, "properties": {"repobilityId": 111999, "scanner": "osv-scanner", "fingerprint": "e64bb32a397fb415314017a3a67aeae042580702c263825ea71311155fe6980d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44973"], "package": "github.com/go-git/go-billy/v5", "rule_id": "GHSA-qw64-3x98-g7q2", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-44973|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3533", "level": "error", "message": {"text": "github.com/getkin/kin-openapi: GO-2025-3533"}, "properties": {"repobilityId": 111996, "scanner": "osv-scanner", "fingerprint": "3b2766019a81c9cbef3f4fe3b1defa345b1eb4f07ee795246b23e0c19d248cfc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-30153", "GHSA-wq9g-9vfc-cfq9"], "package": "github.com/getkin/kin-openapi", "rule_id": "GO-2025-3533", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2025-30153|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-wq9g-9vfc-cfq9", "GO-2025-3533"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3b2766019a81c9cbef3f4fe3b1defa345b1eb4f07ee795246b23e0c19d248cfc", "53477215cb7e89b384f0518e191f5a9b4754ef7913a8c25ead14c616167d75d8"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4511", "level": "error", "message": {"text": "github.com/ethereum/go-ethereum: GO-2026-4511"}, "properties": {"repobilityId": 111995, "scanner": "osv-scanner", "fingerprint": "6c3c485c44b0e542895c866405628023e308cdbc4113428421cfc1c38db73b83", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-26315", "GHSA-m6j8-rg6r-7mv8"], "package": "github.com/ethereum/go-ethereum", "rule_id": "GO-2026-4511", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-26315|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-m6j8-rg6r-7mv8", "GO-2026-4511"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["6c3c485c44b0e542895c866405628023e308cdbc4113428421cfc1c38db73b83", "df4207ed0dac791279455869dfa6a1487b9e611e6f9e8a06c79721a2c48148cb"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4508", "level": "error", "message": {"text": "github.com/ethereum/go-ethereum: GO-2026-4508"}, "properties": {"repobilityId": 111994, "scanner": "osv-scanner", "fingerprint": "ace572c15ae4006f8b0ae87f03f8697011d9a29417c06e54c8b00cae83ead6cb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-26313", "GHSA-689v-6xwf-5jf3"], "package": "github.com/ethereum/go-ethereum", "rule_id": "GO-2026-4508", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-26313|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-689v-6xwf-5jf3", "GO-2026-4508"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["33863439728177b861efa41bcf7fe70afb1dfd3a5f3fbfc07171a6c6fc7308c7", "ace572c15ae4006f8b0ae87f03f8697011d9a29417c06e54c8b00cae83ead6cb"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4507", "level": "error", "message": {"text": "github.com/ethereum/go-ethereum: GO-2026-4507"}, "properties": {"repobilityId": 111993, "scanner": "osv-scanner", "fingerprint": "5e73b7b0206e63c415718b98987f92e66a7a7727d7913da8e12af3ec0e48b330", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-26314", "GHSA-2gjw-fg97-vg3r"], "package": "github.com/ethereum/go-ethereum", "rule_id": "GO-2026-4507", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-26314|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-2gjw-fg97-vg3r", "GO-2026-4507"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5e73b7b0206e63c415718b98987f92e66a7a7727d7913da8e12af3ec0e48b330", "f30b7625add61f1f567cd3523761f6fb401a86b9e2c31bda0221c6f8000fbe1d"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4315", "level": "error", "message": {"text": "github.com/ethereum/go-ethereum: GO-2026-4315"}, "properties": {"repobilityId": 111992, "scanner": "osv-scanner", "fingerprint": "2ad1a87b3ba76dc867ef1e84386ba127dd2b1bd62edf250bb09044c6a2d999d3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-22862", "GHSA-mr7q-c9w9-wh4h"], "package": "github.com/ethereum/go-ethereum", "rule_id": "GO-2026-4315", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-22862|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-mr7q-c9w9-wh4h", "GO-2026-4315"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1be799832adaa0b151d7e4755d47dd3bd8ac50b7cade3850dad90020ea5b461f", "2ad1a87b3ba76dc867ef1e84386ba127dd2b1bd62edf250bb09044c6a2d999d3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4314", "level": "error", "message": {"text": "github.com/ethereum/go-ethereum: GO-2026-4314"}, "properties": {"repobilityId": 111991, "scanner": "osv-scanner", "fingerprint": "251c4eab9384c84b24204995b680a9d32e011dec1c4924f108ac17efb65febb3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-22868", "GHSA-mq3p-rrmp-79jg"], "package": "github.com/ethereum/go-ethereum", "rule_id": "GO-2026-4314", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-22868|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-mq3p-rrmp-79jg", "GO-2026-4314"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["251c4eab9384c84b24204995b680a9d32e011dec1c4924f108ac17efb65febb3", "523fb63210f8ee2ef502471bd3561970f77494c9acadc23197feb362eafc66f0"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x86f-5xw2-fm2r", "level": "error", "message": {"text": "github.com/docker/docker: GHSA-x86f-5xw2-fm2r"}, "properties": {"repobilityId": 111990, "scanner": "osv-scanner", "fingerprint": "ecc6ed6c4235e74408ec9370ddc23ff3dbad411ba363e956f997df81b89994d6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41567"], "package": "github.com/docker/docker", "rule_id": "GHSA-x86f-5xw2-fm2r", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/docker/docker|CVE-2026-41567|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rg2x-37c3-w2rh", "level": "error", "message": {"text": "github.com/docker/docker: GHSA-rg2x-37c3-w2rh"}, "properties": {"repobilityId": 111988, "scanner": "osv-scanner", "fingerprint": "7277c93bf890a8d12fface3695f46c1e6059e287e001bc0392dba8dd4509a8ae", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42306"], "package": "github.com/docker/docker", "rule_id": "GHSA-rg2x-37c3-w2rh", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/docker/docker|CVE-2026-42306|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4887", "level": "error", "message": {"text": "github.com/docker/docker: GO-2026-4887"}, "properties": {"repobilityId": 111986, "scanner": "osv-scanner", "fingerprint": "d6f6a2351e6ef343bfb6ee1219a05ff22c0f7c4010ba22a4049ee374e795cedd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34040", "GHSA-x744-4wpc-v9h2"], "package": "github.com/docker/docker", "rule_id": "GO-2026-4887", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/docker/docker|CVE-2026-34040|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-x744-4wpc-v9h2", "GO-2026-4887"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["a5dca885d4457566e44bf97276f40f671327db66ed4cb30d89132b338fd52ae7", "d6f6a2351e6ef343bfb6ee1219a05ff22c0f7c4010ba22a4049ee374e795cedd"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4883", "level": "error", "message": {"text": "github.com/docker/docker: GO-2026-4883"}, "properties": {"repobilityId": 111985, "scanner": "osv-scanner", "fingerprint": "562d1904a502677c15872d1c31779101649499d5458af9a42fef2657d4d59f82", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33997", "GHSA-pxq6-2prw-chj9"], "package": "github.com/docker/docker", "rule_id": "GO-2026-4883", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/docker/docker|CVE-2026-33997|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-pxq6-2prw-chj9", "GO-2026-4883"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["562d1904a502677c15872d1c31779101649499d5458af9a42fef2657d4d59f82", "b796a5dcdfde9e9c93376523ac0278f1e06394d4e02096d8738e7c61e00cfcbf"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4610", "level": "error", "message": {"text": "github.com/docker/cli: GO-2026-4610"}, "properties": {"repobilityId": 111984, "scanner": "osv-scanner", "fingerprint": "a28e56f5912bc43eb6ebcc11b194a2d470324ad2c96e67c0131b9e927f801e2f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-docker-cli-2025-15558", "CVE-2025-15558", "GHSA-p436-gjf2-799p"], "package": "github.com/docker/cli", "rule_id": "GO-2026-4610", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/docker/cli|CVE-2025-15558|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-p436-gjf2-799p", "GO-2026-4610"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["a03b368596ec2eca136bc2559efc4b7e8e1ff2290ac3335c821507dbdd092e93", "a28e56f5912bc43eb6ebcc11b194a2d470324ad2c96e67c0131b9e927f801e2f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-4087", "level": "error", "message": {"text": "github.com/consensys/gnark-crypto: GO-2025-4087"}, "properties": {"repobilityId": 111983, "scanner": "osv-scanner", "fingerprint": "1e05b658ee8688080b6ee6ea59a912199299380fe53786ad17b30c01fb0a7748", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-fj2x-735w-74vq"], "package": "github.com/consensys/gnark-crypto", "rule_id": "GO-2025-4087", "scanner": "osv-scanner", "correlation_key": "vuln|token|GHSA-FJ2X-735W-74VQ|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-fj2x-735w-74vq", "GO-2025-4087"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1e05b658ee8688080b6ee6ea59a912199299380fe53786ad17b30c01fb0a7748", "f276f2b56c61224563aec0492ea393eb17e13ee768ec3ed7b0a87d9955eb567f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4550", "level": "error", "message": {"text": "github.com/cloudflare/circl: GO-2026-4550"}, "properties": {"repobilityId": 111982, "scanner": "osv-scanner", "fingerprint": "ae2bb6f740e5649ca91e6b8b823afbef4cfccc5eda39d62235512a8a377122e3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-1229", "GHSA-q9hv-hpm4-hj6x"], "package": "github.com/cloudflare/circl", "rule_id": "GO-2026-4550", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/cloudflare/circl|CVE-2026-1229|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-q9hv-hpm4-hj6x", "GO-2026-4550"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["7eea7bc5d57663a069ba225b641b5c3dfce2a9c22dfac68015833fa7439c4754", "ae2bb6f740e5649ca91e6b8b823afbef4cfccc5eda39d62235512a8a377122e3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2025-3754", "level": "error", "message": {"text": "github.com/cloudflare/circl: GO-2025-3754"}, "properties": {"repobilityId": 111981, "scanner": "osv-scanner", "fingerprint": "240548848fdd39246dfb684bea8d66fc48f20499b4a4a13784bf5acfd19845e1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-8556", "GHSA-2x5j-vhc8-9cwm"], "package": "github.com/cloudflare/circl", "rule_id": "GO-2025-3754", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/cloudflare/circl|CVE-2025-8556|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-2x5j-vhc8-9cwm", "GO-2025-3754"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["240548848fdd39246dfb684bea8d66fc48f20499b4a4a13784bf5acfd19845e1", "439c586d611a9f96caab6c9fea1c08e5fcebd82b4549d7d6528b36f1f5719d1b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2022-0646", "level": "error", "message": {"text": "github.com/aws/aws-sdk-go: GO-2022-0646"}, "properties": {"repobilityId": 111979, "scanner": "osv-scanner", "fingerprint": "14ab79460661b75af300b4ba885355c77a37ee4cbdd335bc7ee26fdf9af42b39", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2020-8911", "GHSA-f5pg-7wfw-84q9"], "package": "github.com/aws/aws-sdk-go", "rule_id": "GO-2022-0646", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/aws/aws-sdk-go|CVE-2020-8911|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2022-0635", "level": "error", "message": {"text": "github.com/aws/aws-sdk-go: GO-2022-0635"}, "properties": {"repobilityId": 111978, "scanner": "osv-scanner", "fingerprint": "893a3d2b4f8d68aed1660b455dea32811b0247697571650d59a268961226384e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2020-8912", "GHSA-7f33-f4f5-xwgw"], "package": "github.com/aws/aws-sdk-go", "rule_id": "GO-2022-0635", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/aws/aws-sdk-go|CVE-2020-8912|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4503", "level": "error", "message": {"text": "filippo.io/edwards25519: GO-2026-4503"}, "properties": {"repobilityId": 111977, "scanner": "osv-scanner", "fingerprint": "71397a3693b5480b1d67c0e110aea8713771f76a648a83a00ebe9b9f327cbbd5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-26958", "GHSA-fw7p-63qq-7hpr"], "package": "filippo.io/edwards25519", "rule_id": "GO-2026-4503", "scanner": "osv-scanner", "correlation_key": "vuln|filippo.io/edwards25519|CVE-2026-26958|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-fw7p-63qq-7hpr", "GO-2026-4503"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["71397a3693b5480b1d67c0e110aea8713771f76a648a83a00ebe9b9f327cbbd5", "e8077c69e8507f17a83686f64c8c2997828e000451eec62e3684ffa37eb6e2a7"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0055", "level": "error", "message": {"text": "tracing-subscriber: RUSTSEC-2025-0055"}, "properties": {"repobilityId": 111976, "scanner": "osv-scanner", "fingerprint": "382c2e6bf380a1b7402058788d5b4c01a3bc24ca705aff7ee84bc92483bc38d1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-58160", "GHSA-xwfj-jgwm-7wp5"], "package": "tracing-subscriber", "rule_id": "RUSTSEC-2025-0055", "scanner": "osv-scanner", "correlation_key": "vuln|tracing-subscriber|CVE-2025-58160|cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-xwfj-jgwm-7wp5", "RUSTSEC-2025-0055"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["382c2e6bf380a1b7402058788d5b4c01a3bc24ca705aff7ee84bc92483bc38d1", "421e2ded1a3973c135ca2b34d9f5ceabf14f26ee72a5d93fdb9a429b39db56cd"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0009", "level": "error", "message": {"text": "time: RUSTSEC-2026-0009"}, "properties": {"repobilityId": 111975, "scanner": "osv-scanner", "fingerprint": "9fb941cdcde7d808df297ded949de574907ac1fbeb6f7223b9e05c56e941adb0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25727", "GHSA-r6v5-fh4h-64xc"], "package": "time", "rule_id": "RUSTSEC-2026-0009", "scanner": "osv-scanner", "correlation_key": "vuln|time|CVE-2026-25727|cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r6v5-fh4h-64xc", "RUSTSEC-2026-0009"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["2c2d2ae12df666e8132d287bd534a3c14d824cdb5129b7d9425024955a840e9f", "9fb941cdcde7d808df297ded949de574907ac1fbeb6f7223b9e05c56e941adb0"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2021-0127", "level": "error", "message": {"text": "serde_cbor: RUSTSEC-2021-0127"}, "properties": {"repobilityId": 111974, "scanner": "osv-scanner", "fingerprint": "a1dd4446b1ebae535d80097a37bd392cdf56bfe6431e6f6faea9a80fa4e9997d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serde_cbor", "rule_id": "RUSTSEC-2021-0127", "scanner": "osv-scanner", "correlation_key": "fp|a1dd4446b1ebae535d80097a37bd392cdf56bfe6431e6f6faea9a80fa4e9997d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0104", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0104"}, "properties": {"repobilityId": 111973, "scanner": "osv-scanner", "fingerprint": "fcab9132587a2c990296f83177c4848cd44ed60f21e65c82ba81416282ab891e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-82j2-j2ch-gfr8"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0104", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-82J2-J2CH-GFR8|cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-82j2-j2ch-gfr8", "RUSTSEC-2026-0104"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["476482283f7b4bf24cebe63c772832bbcbb2a342714f10bd108d0c5c67b78813", "fcab9132587a2c990296f83177c4848cd44ed60f21e65c82ba81416282ab891e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0099", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0099"}, "properties": {"repobilityId": 111972, "scanner": "osv-scanner", "fingerprint": "ac54d27f2da05de068570ed12b689c1c212043920c11599e88d3ec15aed9e04f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-xgp8-3hg3-c2mh"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0099", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-XGP8-3HG3-C2MH|cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-xgp8-3hg3-c2mh", "RUSTSEC-2026-0099"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["2a5659d7cbd0bb9dfc9d2adea8035c41fc228507431bf1ff230640799fbb9dc2", "ac54d27f2da05de068570ed12b689c1c212043920c11599e88d3ec15aed9e04f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0098", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0098"}, "properties": {"repobilityId": 111971, "scanner": "osv-scanner", "fingerprint": "f164bd6ab1544e41652580549ab01f3ee5677dfeb6440d8de8a63093cf542613", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-965h-392x-2mh5"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0098", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-965H-392X-2MH5|cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-965h-392x-2mh5", "RUSTSEC-2026-0098"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["4e353f860af1fd9047341f396e862081c6c9d858904293310e34f17a61d47c4c", "f164bd6ab1544e41652580549ab01f3ee5677dfeb6440d8de8a63093cf542613"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0049", "level": "error", "message": {"text": "rustls-webpki: RUSTSEC-2026-0049"}, "properties": {"repobilityId": 111970, "scanner": "osv-scanner", "fingerprint": "c255a366c5ce5102bcdc590878b2b69c65babf58fba82dc3e7831720a1de8e0b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-pwjx-qhcg-rvj4"], "package": "rustls-webpki", "rule_id": "RUSTSEC-2026-0049", "scanner": "osv-scanner", "correlation_key": "vuln|rustls-webpki|GHSA-PWJX-QHCG-RVJ4|cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-pwjx-qhcg-rvj4", "RUSTSEC-2026-0049"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8d0a8a95183a8e67ddddb67ea96d335b0564fb0fcd1f901d95577ef01a82be3b", "c255a366c5ce5102bcdc590878b2b69c65babf58fba82dc3e7831720a1de8e0b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0134", "level": "error", "message": {"text": "rustls-pemfile: RUSTSEC-2025-0134"}, "properties": {"repobilityId": 111969, "scanner": "osv-scanner", "fingerprint": "16c6cdd2e6cf0f2fb425a0bc02ce469766da4f1065573f6b5829e63820fb23d5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "rustls-pemfile", "rule_id": "RUSTSEC-2025-0134", "scanner": "osv-scanner", "correlation_key": "fp|16c6cdd2e6cf0f2fb425a0bc02ce469766da4f1065573f6b5829e63820fb23d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2023-0071", "level": "error", "message": {"text": "rsa: RUSTSEC-2023-0071"}, "properties": {"repobilityId": 111967, "scanner": "osv-scanner", "fingerprint": "8d2ec21cf46ba80ff1843c2b573a651f4162fc37b24b67de47343d2180e0463e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-49092", "GHSA-4grx-2x9w-596c", "GHSA-c38w-74pg-36hr"], "package": "rsa", "rule_id": "RUSTSEC-2023-0071", "scanner": "osv-scanner", "correlation_key": "vuln|rsa|CVE-2023-49092|cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0097", "level": "error", "message": {"text": "rand: RUSTSEC-2026-0097"}, "properties": {"repobilityId": 111966, "scanner": "osv-scanner", "fingerprint": "a22e3aa5f0c463335f53b031b0648b51d94f3563915cac37a8666a217ed7a5dc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-cq8v-f236-94qc"], "package": "rand", "rule_id": "RUSTSEC-2026-0097", "scanner": "osv-scanner", "correlation_key": "vuln|rand|GHSA-CQ8V-F236-94QC|cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-cq8v-f236-94qc", "RUSTSEC-2026-0097"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["a22e3aa5f0c463335f53b031b0648b51d94f3563915cac37a8666a217ed7a5dc", "ee2ad9157999fcb0c8f925391a5e09946511288ceed3e6c5f5b05828611b879f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0037", "level": "error", "message": {"text": "quinn-proto: RUSTSEC-2026-0037"}, "properties": {"repobilityId": 111965, "scanner": "osv-scanner", "fingerprint": "f9c1af453f9a0bdfe4a69e7898d9b3129cb1ee80152010518158bda28e881f27", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-31812", "GHSA-6xvm-j4wr-6v98"], "package": "quinn-proto", "rule_id": "RUSTSEC-2026-0037", "scanner": "osv-scanner", "correlation_key": "vuln|quinn-proto|CVE-2026-31812|cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-6xvm-j4wr-6v98", "RUSTSEC-2026-0037"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["2dc7434cf5d6d3f88ba848d37c8b48497b46115aca80c0a7dd5239e3c7556031", "f9c1af453f9a0bdfe4a69e7898d9b3129cb1ee80152010518158bda28e881f27"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0370", "level": "error", "message": {"text": "proc-macro-error: RUSTSEC-2024-0370"}, "properties": {"repobilityId": 111964, "scanner": "osv-scanner", "fingerprint": "479281b680a3742dad2f7a7c69c0da3e0c7676004685623da1f79bbaa167eba8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "proc-macro-error", "rule_id": "RUSTSEC-2024-0370", "scanner": "osv-scanner", "correlation_key": "fp|479281b680a3742dad2f7a7c69c0da3e0c7676004685623da1f79bbaa167eba8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0436", "level": "error", "message": {"text": "paste: RUSTSEC-2024-0436"}, "properties": {"repobilityId": 111963, "scanner": "osv-scanner", "fingerprint": "ecf6a49d252eada338538964a3d9bb37acf276dba6d473e55cf76f528b35783f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "paste", "rule_id": "RUSTSEC-2024-0436", "scanner": "osv-scanner", "correlation_key": "fp|ecf6a49d252eada338538964a3d9bb37acf276dba6d473e55cf76f528b35783f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0002", "level": "error", "message": {"text": "lru: RUSTSEC-2026-0002"}, "properties": {"repobilityId": 111962, "scanner": "osv-scanner", "fingerprint": "55cddf09b8e903a4447dab5af29af25d6d1e296c37dab01986114159b4e19865", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-rhfx-m35p-ff5j"], "package": "lru", "rule_id": "RUSTSEC-2026-0002", "scanner": "osv-scanner", "correlation_key": "vuln|lru|GHSA-RHFX-M35P-FF5J|cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-rhfx-m35p-ff5j", "RUSTSEC-2026-0002"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["55cddf09b8e903a4447dab5af29af25d6d1e296c37dab01986114159b4e19865", "f7511434ae66124b731f3584daca20a14062fa1d2a91ccce3ea718c421d33184"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0384", "level": "error", "message": {"text": "instant: RUSTSEC-2024-0384"}, "properties": {"repobilityId": 111961, "scanner": "osv-scanner", "fingerprint": "2ceb760f484abeb3a84e0d3edb5de7bba161864b40faf40414de9a12f611490f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "instant", "rule_id": "RUSTSEC-2024-0384", "scanner": "osv-scanner", "correlation_key": "fp|2ceb760f484abeb3a84e0d3edb5de7bba161864b40faf40414de9a12f611490f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0119", "level": "error", "message": {"text": "hickory-proto: RUSTSEC-2026-0119"}, "properties": {"repobilityId": 111960, "scanner": "osv-scanner", "fingerprint": "3888adf84f7b2ec428661b59e66f5ca12128006dde2418a88022f6c0bc87877c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-q2qq-hmj6-3wpp"], "package": "hickory-proto", "rule_id": "RUSTSEC-2026-0119", "scanner": "osv-scanner", "correlation_key": "vuln|hickory-proto|GHSA-Q2QQ-HMJ6-3WPP|cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-q2qq-hmj6-3wpp", "RUSTSEC-2026-0119"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3888adf84f7b2ec428661b59e66f5ca12128006dde2418a88022f6c0bc87877c", "88fbe634eef91d6aec0b8a333dbbc7e479a5ac71276652d8e771619d75e2e3d6"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0118", "level": "error", "message": {"text": "hickory-proto: RUSTSEC-2026-0118"}, "properties": {"repobilityId": 111959, "scanner": "osv-scanner", "fingerprint": "7550c9d9c602fff861f1c48af1c576643ce524ac31563ba3c1031a1bd571a8a0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["GHSA-3v94-mw7p-v465", "RUSTSEC-2026-0120"], "package": "hickory-proto", "rule_id": "RUSTSEC-2026-0118", "scanner": "osv-scanner", "correlation_key": "vuln|hickory-proto|GHSA-3V94-MW7P-V465|cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-3v94-mw7p-v465", "RUSTSEC-2026-0118"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["7550c9d9c602fff861f1c48af1c576643ce524ac31563ba3c1031a1bd571a8a0", "a82649c11162e32b7406578f0aa547ad0fefbe9464a31e6bc190abfb013144d4"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0058", "level": "error", "message": {"text": "custom_derive: RUSTSEC-2025-0058"}, "properties": {"repobilityId": 111958, "scanner": "osv-scanner", "fingerprint": "ccfc79e6b1311754c931599d7ff678f50e7c91a1665665c03da160ceaf470c61", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "custom_derive", "rule_id": "RUSTSEC-2025-0058", "scanner": "osv-scanner", "correlation_key": "fp|ccfc79e6b1311754c931599d7ff678f50e7c91a1665665c03da160ceaf470c61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2026-0007", "level": "error", "message": {"text": "bytes: RUSTSEC-2026-0007"}, "properties": {"repobilityId": 111957, "scanner": "osv-scanner", "fingerprint": "840e36d2de2ac4a8c1c34987b6b57d85a91e4b9353f37c12a525b9daca3b5258", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-25541", "GHSA-434x-w66g-qw3r"], "package": "bytes", "rule_id": "RUSTSEC-2026-0007", "scanner": "osv-scanner", "correlation_key": "vuln|bytes|CVE-2026-25541|cargo.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-434x-w66g-qw3r", "RUSTSEC-2026-0007"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["840e36d2de2ac4a8c1c34987b6b57d85a91e4b9353f37c12a525b9daca3b5258", "95131744e23e323a780caee127b231789361290b6f3c2f97df8af0deb20d6e30"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0141", "level": "error", "message": {"text": "bincode: RUSTSEC-2025-0141"}, "properties": {"repobilityId": 111956, "scanner": "osv-scanner", "fingerprint": "634ded575a91e8662811f47a1170cf5fb4279a65e3c3176bb84aeaac3c78b213", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "bincode", "rule_id": "RUSTSEC-2025-0141", "scanner": "osv-scanner", "correlation_key": "fp|634ded575a91e8662811f47a1170cf5fb4279a65e3c3176bb84aeaac3c78b213"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2023-0089", "level": "error", "message": {"text": "atomic-polyfill: RUSTSEC-2023-0089"}, "properties": {"repobilityId": 111955, "scanner": "osv-scanner", "fingerprint": "1991318cef9b21100b7e75de38d03ee15dc9e29ccf26325777d5b4f7a61d54b6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "atomic-polyfill", "rule_id": "RUSTSEC-2023-0089", "scanner": "osv-scanner", "correlation_key": "fp|1991318cef9b21100b7e75de38d03ee15dc9e29ccf26325777d5b4f7a61d54b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 111943, "scanner": "repobility-threat-engine", "fingerprint": "3f10f5ed5d990c5251376b9eb1f5e09bff6eb34b76005902d2653d5e8fc40086", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3f10f5ed5d990c5251376b9eb1f5e09bff6eb34b76005902d2653d5e8fc40086"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/src/streams.rs"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 111942, "scanner": "repobility-threat-engine", "fingerprint": "02fa665aa9d6e8b7e8dbced5dd0a60715e3fccb055419ae02a2b4e0b24e9bcde", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|02fa665aa9d6e8b7e8dbced5dd0a60715e3fccb055419ae02a2b4e0b24e9bcde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/src/public_key.rs"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC092", "level": "error", "message": {"text": "[SEC092] Go: SQL via fmt.Sprintf or string concat: SQL query constructed via Sprintf or `+` enables SQL injection. Ported from gosec G201 / G202 (Apache-2.0)."}, "properties": {"repobilityId": 111936, "scanner": "repobility-threat-engine", "fingerprint": "f83a9f6234c0485f46611e46d8ed3a043192ad700930320a8408ad965786bc50", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "db.Exec(fmt.Sprintf(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC092", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f83a9f6234c0485f46611e46d8ed3a043192ad700930320a8408ad965786bc50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/statedb/statedb.go"}, "region": {"startLine": 174}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 111934, "scanner": "repobility-threat-engine", "fingerprint": "d65953b5aa7ccb6784a7d147f5ec3212ee8ea6c0af2e4d26c9cdf254907f8ec6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d65953b5aa7ccb6784a7d147f5ec3212ee8ea6c0af2e4d26c9cdf254907f8ec6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/proc/proc.go"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 111933, "scanner": "repobility-threat-engine", "fingerprint": "18670c860e3547f998b28d89de92cc2365e50d52175daa3dab5567cdf4eee6d9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|18670c860e3547f998b28d89de92cc2365e50d52175daa3dab5567cdf4eee6d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/mist/misttriggers/stream_buffer.go"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 111931, "scanner": "repobility-threat-engine", "fingerprint": "ccccc06b83ce38ab9e0e32427d1f423cc2e6e0632ab9b29d286b81f8f5956859", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ccccc06b83ce38ab9e0e32427d1f423cc2e6e0632ab9b29d286b81f8f5956859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/crypto/signers/eip712/eip712test/eip712test.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 111930, "scanner": "repobility-threat-engine", "fingerprint": "e6a61405bcf5e9e265bf7da7d54218983e0a57aef6d86fe0c2778cb81d7bd2b4", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|pkg/cmd/combine.go|38|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/cmd/combine.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 111928, "scanner": "repobility-threat-engine", "fingerprint": "b0b4abc3f8f17a312ff728f27953735d378b365355441d462de6c6ecfac2defa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b0b4abc3f8f17a312ff728f27953735d378b365355441d462de6c6ecfac2defa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/blob/s3.go"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 111927, "scanner": "repobility-threat-engine", "fingerprint": "e3f9f0bf27cee0001b28f1fc23aba44c70baf4c0968373e814c3374b3be7435d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e3f9f0bf27cee0001b28f1fc23aba44c70baf4c0968373e814c3374b3be7435d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/atproto/lexicon_repo.go"}, "region": {"startLine": 271}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 111926, "scanner": "repobility-threat-engine", "fingerprint": "f2221fb54db76a2d82b0faa162669bc71703c16156884a23d580fedb0c5750fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2221fb54db76a2d82b0faa162669bc71703c16156884a23d580fedb0c5750fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/atproto/labeler_firehose.go"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC111", "level": "error", "message": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "properties": {"repobilityId": 111924, "scanner": "repobility-threat-engine", "fingerprint": "9da13aaa9d91e9d502e3709eb15a63095ce9ed8b79f205d4c491113b2ef88aeb", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SafeString(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC111", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9da13aaa9d91e9d502e3709eb15a63095ce9ed8b79f205d4c491113b2ef88aeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/media/mkv_ingest.go"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC111", "level": "error", "message": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "properties": {"repobilityId": 111923, "scanner": "repobility-threat-engine", "fingerprint": "855a4916ed4b612eef004d72c4616bc35ff491efba905f6be9a32305ac0a13c6", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SafeString(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC111", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|855a4916ed4b612eef004d72c4616bc35ff491efba905f6be9a32305ac0a13c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/media/clip_user.go"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC111", "level": "error", "message": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "properties": {"repobilityId": 111922, "scanner": "repobility-threat-engine", "fingerprint": "719d2ec55a3ce848219d1c05b0599013eb57583876a52d688b76b2fe6981db72", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SafeString(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC111", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|719d2ec55a3ce848219d1c05b0599013eb57583876a52d688b76b2fe6981db72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/aqtime/aqtime.go"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 111917, "scanner": "repobility-threat-engine", "fingerprint": "2630bd51f85d5c1c6d78fcf03dbcc99c95641452d0979f4f9fa9c7c84dfed6c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\": \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2630bd51f85d5c1c6d78fcf03dbcc99c95641452d0979f4f9fa9c7c84dfed6c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/playback-router/src/index.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 111915, "scanner": "repobility-threat-engine", "fingerprint": "7dbbcb9b5264c00db9cc69c4711831d8e971f818f1e046b42904746a6ca54475", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(/rtpmap:([0-9]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|39|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/mobile-player/webrtc-diagnostics.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 111906, "scanner": "repobility-threat-engine", "fingerprint": "ed0856d3153da956521413ae74067f025db89bb00aaa69aeee092a2bd372c4c1", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(\"Notification token acquired:\", token)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|9|console.log notification token acquired: token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/store/slices/platformSlice.native.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 111903, "scanner": "repobility-threat-engine", "fingerprint": "1cc22ae5e07fd924bc7003fd0035a98cb2cdf2263f1fd6530c221db5eded9aca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(fmt", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1cc22ae5e07fd924bc7003fd0035a98cb2cdf2263f1fd6530c221db5eded9aca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/statedb/statedb.go"}, "region": {"startLine": 174}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 111902, "scanner": "repobility-threat-engine", "fingerprint": "4c023ba89f5f159e1c66016bd1bdf16aa829f1333c220581528af8f01f7e6cb2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(version", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c023ba89f5f159e1c66016bd1bdf16aa829f1333c220581528af8f01f7e6cb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/settings/about-category-settings.tsx"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 111896, "scanner": "repobility-threat-engine", "fingerprint": "931db414d7d1fb6a5f88e05738e7d051d7a17376dfe3c9b28a8d561adc34c9bf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(messageId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|931db414d7d1fb6a5f88e05738e7d051d7a17376dfe3c9b28a8d561adc34c9bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/src/components/danmu/danmu-overlay.tsx"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 111895, "scanner": "repobility-threat-engine", "fingerprint": "9f14db448dbbf2aed04e750d542675cf525d0046f3c7935a696b86a7c9676f9c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "newSet.delete(rkey);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9f14db448dbbf2aed04e750d542675cf525d0046f3c7935a696b86a7c9676f9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/settings/key-manager.tsx"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 111894, "scanner": "repobility-threat-engine", "fingerprint": "ab4dc3a2afb26aad6d8c8ee15e5cca17d31ce18ba089c08d50abff1ef58152f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "newSet.delete(target.uri);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ab4dc3a2afb26aad6d8c8ee15e5cca17d31ce18ba089c08d50abff1ef58152f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/live-dashboard/multistream-status.tsx"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 111884, "scanner": "repobility-threat-engine", "fingerprint": "4726bd187d08c978c08219b4d5cb91010b2dfd2322fe976c9c634efe9bfd9eda", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4726bd187d08c978c08219b4d5cb91010b2dfd2322fe976c9c634efe9bfd9eda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/login/login-form.tsx"}, "region": {"startLine": 138}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 111883, "scanner": "repobility-threat-engine", "fingerprint": "874786312e20354fb96d2cff6429e13e1637463811c2d61b367558d19350fc44", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|874786312e20354fb96d2cff6429e13e1637463811c2d61b367558d19350fc44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/live-dashboard/multistream-status.tsx"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 111882, "scanner": "repobility-threat-engine", "fingerprint": "2f24c0de0ff4a3e66eba69d728aff45983c42c24eee223d6054a8b04fe2962a9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2f24c0de0ff4a3e66eba69d728aff45983c42c24eee223d6054a8b04fe2962a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/components/get-apps.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 111872, "scanner": "repobility-threat-engine", "fingerprint": "9bfb9ffe4f927b8ce4d873fa9a9c3a75f1366f41afa9e71eb18c7bb3ed8a801f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9bfb9ffe4f927b8ce4d873fa9a9c3a75f1366f41afa9e71eb18c7bb3ed8a801f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/desktop-updates.go"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 111871, "scanner": "repobility-threat-engine", "fingerprint": "189a4820c4b8c68455fa2cb901e41be9dca5b419546a8d055051f50184a0cded", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|189a4820c4b8c68455fa2cb901e41be9dca5b419546a8d055051f50184a0cded"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/app-downloads.go"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 111870, "scanner": "repobility-threat-engine", "fingerprint": "a7934d7bc243b2d0e4d839239707d700a30c886677335839c99fef277c388360", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a7934d7bc243b2d0e4d839239707d700a30c886677335839c99fef277c388360"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/compare-hash.sh"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `golangci/golangci-lint-action` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 111831, "scanner": "repobility-supply-chain", "fingerprint": "de5fd2c2e88026ce9b7d3885f59901c59201285c37a007006e1478a2005c6e2c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|de5fd2c2e88026ce9b7d3885f59901c59201285c37a007006e1478a2005c6e2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/golangci-lint.yaml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4.1.7`"}, "properties": {"repobilityId": 111830, "scanner": "repobility-supply-chain", "fingerprint": "4f742910e23db9f186252d9635844ab1075376b782451548de5583b97f4d1682", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f742910e23db9f186252d9635844ab1075376b782451548de5583b97f4d1682"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/golangci-lint.yaml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 111829, "scanner": "repobility-supply-chain", "fingerprint": "5d63c4923611f862b376b5d9cc2b8248620ef7a6e279cf040d42b47cecf3a570", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d63c4923611f862b376b5d9cc2b8248620ef7a6e279cf040d42b47cecf3a570"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yaml"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4.1.7`"}, "properties": {"repobilityId": 111828, "scanner": "repobility-supply-chain", "fingerprint": "33f9a9d4c86af8694b0d48739229376a20f935a701c76ccfa11952558ac772dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33f9a9d4c86af8694b0d48739229376a20f935a701c76ccfa11952558ac772dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yaml"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 111827, "scanner": "repobility-supply-chain", "fingerprint": "a27d010a52d1b757488f945c1306da96197e3b1f9f74e9868fdc3c2b17126590", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a27d010a52d1b757488f945c1306da96197e3b1f9f74e9868fdc3c2b17126590"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yaml"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4.1.7`"}, "properties": {"repobilityId": 111826, "scanner": "repobility-supply-chain", "fingerprint": "91598ea5867a79bcaa258a88aa535f0b41517b89d6526498664189b549cfcab3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|91598ea5867a79bcaa258a88aa535f0b41517b89d6526498664189b549cfcab3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yaml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4.1.7`"}, "properties": {"repobilityId": 111825, "scanner": "repobility-supply-chain", "fingerprint": "9fe596744187f16a3770a13ac7f32a8b993c55a15b6a634bab5c494d56723adb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fe596744187f16a3770a13ac7f32a8b993c55a15b6a634bab5c494d56723adb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yaml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `maxim-lobanov/setup-xcode` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 111824, "scanner": "repobility-supply-chain", "fingerprint": "9c8ba00c5d3cb78a6138795fc5a8e5f3e306e042a3fcb3c0e54e2dee4e582534", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c8ba00c5d3cb78a6138795fc5a8e5f3e306e042a3fcb3c0e54e2dee4e582534"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yaml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 111823, "scanner": "repobility-supply-chain", "fingerprint": "9967940f9b19c9cabad13a97a932936bcfa2e28c159ac1ad44f66e80f585c3e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9967940f9b19c9cabad13a97a932936bcfa2e28c159ac1ad44f66e80f585c3e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yaml"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4.1.7`"}, "properties": {"repobilityId": 111822, "scanner": "repobility-supply-chain", "fingerprint": "e81b689571be5256bc382a1dccfdad2fe14f9a5b3955734b400afc30c11086b9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e81b689571be5256bc382a1dccfdad2fe14f9a5b3955734b400afc30c11086b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yaml"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 111821, "scanner": "repobility-supply-chain", "fingerprint": "998c01b163471828f5bc6c2f7016893b7efa2a7a4155488ae61b901b3bc5dab1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|998c01b163471828f5bc6c2f7016893b7efa2a7a4155488ae61b901b3bc5dab1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yaml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `mikepenz/action-junit-report` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 111820, "scanner": "repobility-supply-chain", "fingerprint": "8e622463ff77bb2d01c3dc220a2c597c327c8097932a270dc2fdeef0323392ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e622463ff77bb2d01c3dc220a2c597c327c8097932a270dc2fdeef0323392ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yaml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `jdx/mise-action` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 111819, "scanner": "repobility-supply-chain", "fingerprint": "03d1b09d6a86545adc9db96841778fd961db2641ab4fad534989490612d41c5b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03d1b09d6a86545adc9db96841778fd961db2641ab4fad534989490612d41c5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yaml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4.1.7`"}, "properties": {"repobilityId": 111818, "scanner": "repobility-supply-chain", "fingerprint": "b9db8efaeb6ffc342baaa61fbfe5ebd989b40449092d59d72a1835202299da07", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b9db8efaeb6ffc342baaa61fbfe5ebd989b40449092d59d72a1835202299da07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yaml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `keninkujovic/gitlab-sync` pinned to mutable ref `@2.0.0`"}, "properties": {"repobilityId": 111817, "scanner": "repobility-supply-chain", "fingerprint": "b104c0f32c9d3a9d1c7a67ed8ff39f01be42ef141e538e692a7b02739fd37131", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b104c0f32c9d3a9d1c7a67ed8ff39f01be42ef141e538e692a7b02739fd37131"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-gitlab.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4.1.7`"}, "properties": {"repobilityId": 111816, "scanner": "repobility-supply-chain", "fingerprint": "38088d6b8f1e0ee259ebb38719b320dfabaee17bfa7fdb335315d6d520352364", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38088d6b8f1e0ee259ebb38719b320dfabaee17bfa7fdb335315d6d520352364"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-tangled.yaml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/add-to-project` pinned to mutable ref `@v1.0.2`"}, "properties": {"repobilityId": 111815, "scanner": "repobility-supply-chain", "fingerprint": "539439949c88ff7437e18cc1f665e04d60032a07b304bb615d5056030c6845b3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|539439949c88ff7437e18cc1f665e04d60032a07b304bb615d5056030c6845b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/add-to-project.yaml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `react-native-webrtc` pulled from URL/Git"}, "properties": {"repobilityId": 111814, "scanner": "repobility-supply-chain", "fingerprint": "213caf600337b9a02fa14b9e290b05777a95b280b02937cdc127f8e640ff4fe2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|213caf600337b9a02fa14b9e290b05777a95b280b02937cdc127f8e640ff4fe2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/components/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `rtcaudiodevice` pulled from URL/Git"}, "properties": {"repobilityId": 111813, "scanner": "repobility-supply-chain", "fingerprint": "9d2e7a02347c67f20f1eef7079e940f33b09d548ac2da1e56ff298b18effc7c9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d2e7a02347c67f20f1eef7079e940f33b09d548ac2da1e56ff298b18effc7c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `react-native-webrtc` pulled from URL/Git"}, "properties": {"repobilityId": 111812, "scanner": "repobility-supply-chain", "fingerprint": "aa27d3fb907208dd63a5f973486ace4a159ebe873b3bccaa6a465aeea28f1d48", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa27d3fb907208dd63a5f973486ace4a159ebe873b3bccaa6a465aeea28f1d48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `rtcaudiodevice` pulled from URL/Git"}, "properties": {"repobilityId": 111811, "scanner": "repobility-supply-chain", "fingerprint": "83d8f3f1f72f972025d85871e3565a59265dcc67aabec8a844198dbca32d9362", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|83d8f3f1f72f972025d85871e3565a59265dcc67aabec8a844198dbca32d9362"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/config-react-native-webrtc/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `react-native-webrtc` pulled from URL/Git"}, "properties": {"repobilityId": 111810, "scanner": "repobility-supply-chain", "fingerprint": "9f3133cbef59b467d9d432299c6780a9f46b1e94ecf2be476be1fba068b1bafa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f3133cbef59b467d9d432299c6780a9f46b1e94ecf2be476be1fba068b1bafa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/config-react-native-webrtc/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ubuntu:24.04` not pinned by digest"}, "properties": {"repobilityId": 111809, "scanner": "repobility-supply-chain", "fingerprint": "9d7e46314fa6c3a039dd56f8ff08949ea6c6ff636e15365f26ad57736c143765", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d7e46314fa6c3a039dd56f8ff08949ea6c6ff636e15365f26ad57736c143765"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/bunny.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ubuntu:22.04` not pinned by digest"}, "properties": {"repobilityId": 111808, "scanner": "repobility-supply-chain", "fingerprint": "b4c769ace113fef4b0184025677cd6c2aa9e178600c71e748fd68624c4d22ad2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4c769ace113fef4b0184025677cd6c2aa9e178600c71e748fd68624c4d22ad2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/build.Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ubuntu:24.04` not pinned by digest"}, "properties": {"repobilityId": 111807, "scanner": "repobility-supply-chain", "fingerprint": "a01efbdaffcabcdc9d0da9f26c8383ffe754cfb873bb82af73fa7a3e0aa1b319", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a01efbdaffcabcdc9d0da9f26c8383ffe754cfb873bb82af73fa7a3e0aa1b319"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/local.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "go.mod replaces `github.com/bluesky-social/indigo` \u2014 redirects to fork `github.com/streamplace/indigo`"}, "properties": {"repobilityId": 111806, "scanner": "repobility-supply-chain", "fingerprint": "9c57903fb351877512d0918ad819439879b09437e8612eeeabcb64faaa8eab81", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c57903fb351877512d0918ad819439879b09437e8612eeeabcb64faaa8eab81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "go.mod replaces `github.com/AxisCommunications/go-dpop` \u2014 redirects to fork `github.com/streamplace/go-dpop`"}, "properties": {"repobilityId": 111805, "scanner": "repobility-supply-chain", "fingerprint": "a85915cda95028cc486b6ccba0e005eedf5c0565a025a7a7625a212733990c90", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a85915cda95028cc486b6ccba0e005eedf5c0565a025a7a7625a212733990c90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "go.mod replaces `github.com/gocql/gocql` \u2014 redirects to fork `github.com/scylladb/gocql`"}, "properties": {"repobilityId": 111804, "scanner": "repobility-supply-chain", "fingerprint": "c285dc804df45ece2f41eae60816975d775fee8b5b5f375e0da77b57b5d3bd48", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c285dc804df45ece2f41eae60816975d775fee8b5b5f375e0da77b57b5d3bd48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "go.mod replaces `github.com/ThalesGroup/crypto11` \u2014 redirects to fork `github.com/aquareum-tv/crypto11`"}, "properties": {"repobilityId": 111803, "scanner": "repobility-supply-chain", "fingerprint": "eefa6323ac8c240dc3b8649f5da40fd8128bd6546dc85c6a67d49358005b82a7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eefa6323ac8c240dc3b8649f5da40fd8128bd6546dc85c6a67d49358005b82a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 4}}}]}, {"ruleId": "GHSA-xq3m-2v4x-88gg", "level": "error", "message": {"text": "protobufjs: GHSA-xq3m-2v4x-88gg"}, "properties": {"repobilityId": 112211, "scanner": "osv-scanner", "fingerprint": "fc884e53671c369c3d45af7ee056dc6f60be81699c18bc3d4e9fca32bd843e31", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41242"], "package": "protobufjs", "rule_id": "GHSA-xq3m-2v4x-88gg", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-41242|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2w6w-674q-4c4q", "level": "error", "message": {"text": "handlebars: GHSA-2w6w-674q-4c4q"}, "properties": {"repobilityId": 112162, "scanner": "osv-scanner", "fingerprint": "ca56ed8ccfbc68b8f5bfaf84fad5737f0ade9208f726065cf9ecd4162ef86369", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33937"], "package": "handlebars", "rule_id": "GHSA-2w6w-674q-4c4q", "scanner": "osv-scanner", "correlation_key": "vuln|handlebars|CVE-2026-33937|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m7jm-9gc2-mpf2", "level": "error", "message": {"text": "fast-xml-parser: GHSA-m7jm-9gc2-mpf2"}, "properties": {"repobilityId": 112153, "scanner": "osv-scanner", "fingerprint": "db7f5f593c3bbed98a3a8dce2d9856dbd244753df9302fd82faea9143a830ac4", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25896"], "package": "fast-xml-parser", "rule_id": "GHSA-m7jm-9gc2-mpf2", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-25896|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p77j-4mvh-x3m3", "level": "error", "message": {"text": "google.golang.org/grpc: GHSA-p77j-4mvh-x3m3"}, "properties": {"repobilityId": 112049, "scanner": "osv-scanner", "fingerprint": "839c639f99d987cc51e4c7791f0d17b2f5813a35ea0b64f0b2f22a19ff2880f8", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33186", "GO-2026-4762"], "package": "google.golang.org/grpc", "rule_id": "GHSA-p77j-4mvh-x3m3", "scanner": "osv-scanner", "correlation_key": "vuln|google.golang.org/grpc|CVE-2026-33186|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-p77j-4mvh-x3m3", "GO-2026-4762"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["006b95240250d32e48951bd4a59590a26f554f1c27926c81c3b7b82c36e8908a", "839c639f99d987cc51e4c7791f0d17b2f5813a35ea0b64f0b2f22a19ff2880f8"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9jj7-4m8r-rfcm", "level": "error", "message": {"text": "github.com/jackc/pgx/v5: GHSA-9jj7-4m8r-rfcm"}, "properties": {"repobilityId": 112016, "scanner": "osv-scanner", "fingerprint": "ef9ee9e0c66e0363f6cb362c076cc8831981a3704c4f28aac019d7b12f282959", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33816", "GO-2026-4772"], "package": "github.com/jackc/pgx/v5", "rule_id": "GHSA-9jj7-4m8r-rfcm", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/jackc/pgx/v5|CVE-2026-33816|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-9jj7-4m8r-rfcm", "GO-2026-4772"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3522924f22196f0a71b0c5cb7af4375033cbccfe314543254805594682c6adf3", "ef9ee9e0c66e0363f6cb362c076cc8831981a3704c4f28aac019d7b12f282959"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v725-9546-7q7m", "level": "error", "message": {"text": "github.com/go-git/go-git/v5: GHSA-v725-9546-7q7m"}, "properties": {"repobilityId": 112001, "scanner": "osv-scanner", "fingerprint": "c708e8a11a8f14900007f9571b4d9bdc391c705104cac13c804fbe4b58488c5c", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-21613", "GO-2025-3368"], "package": "github.com/go-git/go-git/v5", "rule_id": "GHSA-v725-9546-7q7m", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/go-git/go-git/v5|CVE-2025-21613|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-v725-9546-7q7m", "GO-2025-3368"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["a2f96ea2eb09a3a22c038400123960a053c53d38137df0cba428429ac0a02d71", "c708e8a11a8f14900007f9571b4d9bdc391c705104cac13c804fbe4b58488c5c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 111954, "scanner": "gitleaks", "fingerprint": "804ec77b6bfeb5eb7faaacf25c880a75bc3b9bfed7423eb9edc6e67ba4c6e068", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "crypto_secretbox\",\n \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|54|crypto_secretbox redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust/iroh-streamplace/Cargo.lock"}, "region": {"startLine": 550}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 111953, "scanner": "gitleaks", "fingerprint": "9f2867a9ecf8f52a7a3cb1a4021d64ba65f2ce4a9490cd85c512ea5d1c15e8ab", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "stagingKey, REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|pkg/vod/process.go|44|stagingkey redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/vod/process.go"}, "region": {"startLine": 446}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 111952, "scanner": "gitleaks", "fingerprint": "97dc088c135559517e449e6445c06b3d7d0af7a2068d1d5f15fbdc45772fbe2b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|1|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/notifications/firebase_test.go"}, "region": {"startLine": 14}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 111951, "scanner": "gitleaks", "fingerprint": "6dbce3b4477ce0e11e1d99c43e68416b675da5aa2185214efe23d744031d2f00", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|5|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/crypto/signers/eip712/eip712test/eip712test.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 111950, "scanner": "gitleaks", "fingerprint": "4044b7051f99fc48fcb47525886cc0c0932bcb6f1ade2e1850aca37f4a1367b0", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "key:REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|pkg/atproto/atproto_test.go|11|key:redacted", "duplicate_count": 1, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["135898b517fb846234ff1e7c177277b900163a24cdbcf80834d785246dbc44b3", "4044b7051f99fc48fcb47525886cc0c0932bcb6f1ade2e1850aca37f4a1367b0"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/atproto/atproto_test.go"}, "region": {"startLine": 118}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 111949, "scanner": "gitleaks", "fingerprint": "366c176c92ff324f92a8e6885213712ecd5d2007de6ac52f6af656c83beb6332", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "crypto_secretbox\",\n \"REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|cargo.lock|100|crypto_secretbox redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1005}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 111948, "scanner": "gitleaks", "fingerprint": "f4a3b518ccd3a62a28e31e86251ee2540c6ff5690193d7ffc7edc09b4974b55e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|localhost-key.pem|1|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "localhost-key.pem"}, "region": {"startLine": 1}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 111947, "scanner": "gitleaks", "fingerprint": "14f94189296e2769a245932722f84f70c90461ed33ffa604b846c50c29264ed8", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key:REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|14|key:redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/docs/src/content/docs/video-metadata/c2pa-integration.md"}, "region": {"startLine": 150}}}]}, {"ruleId": "gcp-api-key", "level": "error", "message": {"text": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches."}, "properties": {"repobilityId": 111946, "scanner": "gitleaks", "fingerprint": "879da716d97c40134742d3e3003cefbf36285f88b07b8b7e4174212c883f4652", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "gcp-api-key", "scanner": "gitleaks", "detector": "gcp-api-key", "correlation_key": "secret|js/app/google-services.json|1|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "js/app/google-services.json"}, "region": {"startLine": 18}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 111945, "scanner": "gitleaks", "fingerprint": "428bcf95f70c6774cadfef0d2604ddc51e9be2781d4effd23137cd768ceb8de4", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "password\": \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|docker/mistserver.json|1|password : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/mistserver.json"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 111935, "scanner": "repobility-threat-engine", "fingerprint": "021a63f8f2a81010de07aabba72eeabe9e783814fdc1c56e2064b6801da48020", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|021a63f8f2a81010de07aabba72eeabe9e783814fdc1c56e2064b6801da48020"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/spxrpc/storage.go"}, "region": {"startLine": 46}}}]}]}]}