{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Intervals created in React hooks or components should be cleared on unmount. Missing cleanup can keep stale callbacks alive after recording, polling, or overlay components close."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `c12` is 1 major version(s) behind (3.3.4 -> 4.0.0-beta.5)", "shortDescription": {"text": "npm package `c12` is 1 major version(s) behind (3.3.4 -> 4.0.0-beta.5)"}, "fullDescription": {"text": "`c12` is pinned/resolved at 3.3.4 but the latest stable release on the npm registry is 4.0.0-beta.5 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "Package indexes increase image size and can expose stale metadata in the final image layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED088", "name": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks.", "shortDescription": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 30 more): Same pattern found in 30 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 31 more): Same pattern found in 31 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 29 more): Same pattern found in 29 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 32 more): Same pattern found in 32 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 58 more): Same pattern found in 58 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 58 more): Same pattern found in 58 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.PROJECT_ACCESS_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.PROJECT_ACCESS_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PROJECT_ACCESS_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/884"}, "properties": {"repository": "nuxt/nuxt", "repoUrl": "https://github.com/nuxt/nuxt", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 81531, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 81529, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 81528, "scanner": "repobility-docker", "fingerprint": "2d2208484c91d91d396bb391119712bf46319d44b21645394b977aa95113373d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:lts@sha256:99981c3d1aac0d98cd9f03f74b92dddf30f30ffb0b34e6df8bd96283f62f12c6", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2d2208484c91d91d396bb391119712bf46319d44b21645394b977aa95113373d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 81514, "scanner": "repobility-threat-engine", "fingerprint": "a95a81252abf6b6db4dd0260c73ccf84d97d4d17e08d1146f9c7aea3275c88f8", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|25|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/webpack/src/plugins/vue/util.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 81513, "scanner": "repobility-threat-engine", "fingerprint": "01ee4f6908011bab8fbd49636e352668e5a67a30baca89861815a09d88b5b06b", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|21|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/core/plugins/async-context.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 81512, "scanner": "repobility-threat-engine", "fingerprint": "d4ec2a1ac67324f4637e2e3a364afa077394b8f20d9bc0458ac01288387535bc", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|40|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/components/plugins/component-names.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 81506, "scanner": "repobility-threat-engine", "fingerprint": "60274bd22cfb3978fbd95e08cd8e99dc6d6a1e5dca7b1741316ba854ec5b1210", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|60274bd22cfb3978fbd95e08cd8e99dc6d6a1e5dca7b1741316ba854ec5b1210"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/vite-node.ts"}, "region": {"startLine": 313}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 81505, "scanner": "repobility-threat-engine", "fingerprint": "ad0f6dd7e24bf8c65adbf389327f02b787d0be3abba076c7fefd6920a10cc980", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad0f6dd7e24bf8c65adbf389327f02b787d0be3abba076c7fefd6920a10cc980"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/app/plugins/view-transitions.client.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 81504, "scanner": "repobility-threat-engine", "fingerprint": "4fa2a98c7558137859a4f9a19fb917a56716089414d13f2a4b354c856d4cee33", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4fa2a98c7558137859a4f9a19fb917a56716089414d13f2a4b354c856d4cee33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/app/composables/preload.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 81482, "scanner": "repobility-agent-runtime", "fingerprint": "e97b35994ff50cba80a8be3807ff40dddcbd9fd66fbffc15fba7adbe1604bc95", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|e97b35994ff50cba80a8be3807ff40dddcbd9fd66fbffc15fba7adbe1604bc95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/imports/presets.ts"}, "region": {"startLine": 283}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 81481, "scanner": "repobility-agent-runtime", "fingerprint": "ee942e16309fbd2b605aba1fb52e4621faa3e79d95a08960c598e82718e46a2f", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|ee942e16309fbd2b605aba1fb52e4621faa3e79d95a08960c598e82718e46a2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nitro-server/src/runtime/utils/dev.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `c12` is 1 major version(s) behind (3.3.4 -> 4.0.0-beta.5)"}, "properties": {"repobilityId": 81479, "scanner": "repobility-dependency-currency", "fingerprint": "db3b0a1b1394b36983f9aad9fcc73a50128ca8b44d5febaeb6f9b37c90cabb0c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "c12", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.0.0-beta.5", "correlation_key": "fp|db3b0a1b1394b36983f9aad9fcc73a50128ca8b44d5febaeb6f9b37c90cabb0c", "current_version": "3.3.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/schema/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `h3` is 1 major version(s) behind (1.15.11 -> 2.0.1-rc.22)"}, "properties": {"repobilityId": 81473, "scanner": "repobility-dependency-currency", "fingerprint": "2d26ffa9d5f79aafff32c4695ebf6c70f43428e8bba5387bb976335159705b48", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "h3", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.0.1-rc.22", "correlation_key": "fp|2d26ffa9d5f79aafff32c4695ebf6c70f43428e8bba5387bb976335159705b48", "current_version": "1.15.11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rspack/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `h3` is 1 major version(s) behind (1.15.11 -> 2.0.1-rc.22)"}, "properties": {"repobilityId": 81469, "scanner": "repobility-dependency-currency", "fingerprint": "cb54800ad7e11a6cbbc7a67d6e64b3eb758770c63ea980825cc8065f5223e98b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "h3", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.0.1-rc.22", "correlation_key": "fp|cb54800ad7e11a6cbbc7a67d6e64b3eb758770c63ea980825cc8065f5223e98b", "current_version": "1.15.11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/webpack/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `c12` is 1 major version(s) behind (^3.3.4 -> 4.0.0-beta.5)"}, "properties": {"repobilityId": 81464, "scanner": "repobility-dependency-currency", "fingerprint": "33c0b70800e8c97bb1808a30872bc14ab0d2871aace7bc9ee45b807bcc886b90", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "c12", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.0.0-beta.5", "correlation_key": "fp|33c0b70800e8c97bb1808a30872bc14ab0d2871aace7bc9ee45b807bcc886b90", "current_version": "^3.3.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 81530, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 81527, "scanner": "repobility-docker", "fingerprint": "33cfe27959511b40f8f10e9d3f0312a11f08eea1bc3b67135b2dda8cd47f2ecd", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|33cfe27959511b40f8f10e9d3f0312a11f08eea1bc3b67135b2dda8cd47f2ecd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 81526, "scanner": "repobility-docker", "fingerprint": "5d10fe060f5bbb518049606af21289e401725dfa338f0519c1fc95ce359857d3", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|5d10fe060f5bbb518049606af21289e401725dfa338f0519c1fc95ce359857d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 81520, "scanner": "repobility-threat-engine", "fingerprint": "c641305b63c322c8031bd8f17aaf2de3176bfd281c41e267e97a8d1af7228951", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'<script setup>' + IMPORT_CODE + '</script>'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c641305b63c322c8031bd8f17aaf2de3176bfd281c41e267e97a8d1af7228951"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/components/plugins/islands-transform.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `vue-router` is minor version(s) behind (^5.0.6 -> 5.1.0)"}, "properties": {"repobilityId": 81463, "scanner": "repobility-dependency-currency", "fingerprint": "e956025b9ac1c29056a08beb280a26b7ae0dd3bb5fa3d95532882edb501a0503", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "vue-router", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.1.0", "correlation_key": "fp|e956025b9ac1c29056a08beb280a26b7ae0dd3bb5fa3d95532882edb501a0503", "current_version": "^5.0.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/fixtures/basic-types/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81448, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7d66236fa9d92c5f483b13dc4faf9d3b9d7c4d2cf9f9b55d76aba53dc946472d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/rspack/tsdown.config.ts", "duplicate_line": 1, "correlation_key": "fp|7d66236fa9d92c5f483b13dc4faf9d3b9d7c4d2cf9f9b55d76aba53dc946472d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/webpack/tsdown.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81447, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea8d40b9cedf707b0004a86beef4d26b393b8876889da99f37d61c381dfb6ea9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/vite/src/plugins/vite-node.ts", "duplicate_line": 306, "correlation_key": "fp|ea8d40b9cedf707b0004a86beef4d26b393b8876889da99f37d61c381dfb6ea9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/vite-node.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81446, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c11e9f9bb91e1f4d4521d1150e15f752549ce2a90a40170e86df2acc6da36e18", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/kit/src/internal/trace.ts", "duplicate_line": 4, "correlation_key": "fp|c11e9f9bb91e1f4d4521d1150e15f752549ce2a90a40170e86df2acc6da36e18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/app/utils.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81445, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4dd9811bfa206c01f570d5189fd69e2259c3409e07800ec020d6efe1b30feaba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/nuxt/src/app/components/nuxt-announcer.ts", "duplicate_line": 46, "correlation_key": "fp|4dd9811bfa206c01f570d5189fd69e2259c3409e07800ec020d6efe1b30feaba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/app/components/nuxt-route-announcer.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81444, "scanner": "repobility-ai-code-hygiene", "fingerprint": "10bc28a003aad647e1313fb55fbb5affde798208cba0782403a19284b7e1f2d2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/nuxt/src/app/components/client-fallback.client.ts", "duplicate_line": 4, "correlation_key": "fp|10bc28a003aad647e1313fb55fbb5affde798208cba0782403a19284b7e1f2d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/app/components/client-fallback.server.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 81525, "scanner": "repobility-threat-engine", "fingerprint": "a1bb6273fbdc514ec53143946386dbdf16802c8fad0fe59f75dea80ba84c286d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a1bb6273fbdc514ec53143946386dbdf16802c8fad0fe59f75dea80ba84c286d"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 81519, "scanner": "repobility-threat-engine", "fingerprint": "f1c2c4035cdd6e0916d588faf9becbbbd5dd61a9e4a7efb0017757e4e82f5c05", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f1c2c4035cdd6e0916d588faf9becbbbd5dd61a9e4a7efb0017757e4e82f5c05"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 81515, "scanner": "repobility-threat-engine", "fingerprint": "2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 81511, "scanner": "repobility-threat-engine", "fingerprint": "7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670"}}}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 81507, "scanner": "repobility-threat-engine", "fingerprint": "f8dfd9d7ca55459492fc541600ad2baec67749f30a9558f0548d8877cadb2be7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f8dfd9d7ca55459492fc541600ad2baec67749f30a9558f0548d8877cadb2be7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/app/composables/state.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "properties": {"repobilityId": 81503, "scanner": "repobility-threat-engine", "fingerprint": "182edb71d35f40287628ca3c305e1ade58c14b64e4e8a921ac0ee75067627b94", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|182edb71d35f40287628ca3c305e1ade58c14b64e4e8a921ac0ee75067627b94", "aggregated_count": 30}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 81502, "scanner": "repobility-threat-engine", "fingerprint": "f185f987c1454c58c207752056c888d9db239730dc6b0924daf6da6d7bdabf1a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f185f987c1454c58c207752056c888d9db239730dc6b0924daf6da6d7bdabf1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/src/module/compatibility.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 81501, "scanner": "repobility-threat-engine", "fingerprint": "05b86e91c08c1130df020d01d2dd8835189fe3d982e8637b02fc0b46b0b7b47e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|05b86e91c08c1130df020d01d2dd8835189fe3d982e8637b02fc0b46b0b7b47e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/src/loader/nuxt.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 81500, "scanner": "repobility-threat-engine", "fingerprint": "c9c36cb1b0311c163eb7f543339b6174099e2f55f2ac7b91fb264bf669831bd3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c9c36cb1b0311c163eb7f543339b6174099e2f55f2ac7b91fb264bf669831bd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/src/loader/config.ts"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 81499, "scanner": "repobility-threat-engine", "fingerprint": "785a9d8b5575ed128b1c6b814ce12a095307d8a866ec53112aa4851d54a340f5", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|785a9d8b5575ed128b1c6b814ce12a095307d8a866ec53112aa4851d54a340f5", "aggregated_count": 31}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 81498, "scanner": "repobility-threat-engine", "fingerprint": "57b8c813ab6b8c852160af6bbc7fbeb756644834e947b0949f981527dbcc6498", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|57b8c813ab6b8c852160af6bbc7fbeb756644834e947b0949f981527dbcc6498"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nitro-server/src/runtime/utils/config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 81497, "scanner": "repobility-threat-engine", "fingerprint": "cb91adca7b53235d3516b7fca3c2972e6819b94a2d56826f57362dabb955ba20", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cb91adca7b53235d3516b7fca3c2972e6819b94a2d56826f57362dabb955ba20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nitro-server/src/runtime/plugins/dev-server-logs.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 81496, "scanner": "repobility-threat-engine", "fingerprint": "87b2385975127b648f7afd3edde1751517f8f957a8499e7df0033729f6af93cf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|87b2385975127b648f7afd3edde1751517f8f957a8499e7df0033729f6af93cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/src/loader/config.ts"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 81495, "scanner": "repobility-threat-engine", "fingerprint": "0544e6fe05f555556705d7f64dbdc12942be0f7ce56998ffde430121732b8770", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0544e6fe05f555556705d7f64dbdc12942be0f7ce56998ffde430121732b8770", "aggregated_count": 29}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 81494, "scanner": "repobility-threat-engine", "fingerprint": "41ae0e710539dbd7bf2076e0557c9f5debb147decd1b53fc2b8abd2ab5166c70", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41ae0e710539dbd7bf2076e0557c9f5debb147decd1b53fc2b8abd2ab5166c70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/app/compat/interval.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 81493, "scanner": "repobility-threat-engine", "fingerprint": "31df084f258f5349ced5777598817a5e8d36741e086940f299898abefb13d8f7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|31df084f258f5349ced5777598817a5e8d36741e086940f299898abefb13d8f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nitro-server/src/runtime/plugins/dev-server-logs.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 81492, "scanner": "repobility-threat-engine", "fingerprint": "b188e645c946edc630fa5a46b104ff754cb4c176eb2dc9ed83ef7e5a7942d219", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b188e645c946edc630fa5a46b104ff754cb4c176eb2dc9ed83ef7e5a7942d219"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/src/internal/trace.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "properties": {"repobilityId": 81491, "scanner": "repobility-threat-engine", "fingerprint": "648516b624713ec6c92cd1d7b4f670acf37fda4886c38f832f2d7aecf63afa4d", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 32 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 32 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|648516b624713ec6c92cd1d7b4f670acf37fda4886c38f832f2d7aecf63afa4d"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 58 more): Same pattern found in 58 additional files. Review if needed."}, "properties": {"repobilityId": 81487, "scanner": "repobility-threat-engine", "fingerprint": "51075618d472e9d8d63be3d3f80045f1481a3d880c42ee68373d8f4ecdb3c031", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 58 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|51075618d472e9d8d63be3d3f80045f1481a3d880c42ee68373d8f4ecdb3c031", "aggregated_count": 58}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 81486, "scanner": "repobility-threat-engine", "fingerprint": "c9ca817f1869c9171224bb2dbb1ba7d57546b5f684e1090d80da3543862568c3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c9ca817f1869c9171224bb2dbb1ba7d57546b5f684e1090d80da3543862568c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/src/layout.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 81485, "scanner": "repobility-threat-engine", "fingerprint": "bb7111e713e3390dc42270162826ca9b38454ef5b194fb91db9d89c48fc1527f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bb7111e713e3390dc42270162826ca9b38454ef5b194fb91db9d89c48fc1527f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/src/ignore.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 81484, "scanner": "repobility-threat-engine", "fingerprint": "4c5dd13b1f107b195aa8441cc39d0f6157d583e106147911023e612432f8bedf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4c5dd13b1f107b195aa8441cc39d0f6157d583e106147911023e612432f8bedf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/src/build.ts"}, "region": {"startLine": 203}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `nitro` is patch version(s) behind (3.0.260522-beta -> 3.0.260603-beta)"}, "properties": {"repobilityId": 81480, "scanner": "repobility-dependency-currency", "fingerprint": "ef83e8b39da7d7b2d5b6f10be9153477bdb9098158eeee37b8dfbc0518fe3b69", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "nitro", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.260603-beta", "correlation_key": "fp|ef83e8b39da7d7b2d5b6f10be9153477bdb9098158eeee37b8dfbc0518fe3b69", "current_version": "3.0.260522-beta"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/schema/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@unhead/vue` is patch version(s) behind (3.1.1 -> 3.1.3)"}, "properties": {"repobilityId": 81478, "scanner": "repobility-dependency-currency", "fingerprint": "3a72b17969e4714c4e9288ade68f2f100217365de9b7a673268d89507c8d0ad5", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@unhead/vue", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.3", "correlation_key": "fp|3a72b17969e4714c4e9288ade68f2f100217365de9b7a673268d89507c8d0ad5", "current_version": "3.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/schema/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `tsdown` is patch version(s) behind (0.22.1 -> 0.22.2)"}, "properties": {"repobilityId": 81477, "scanner": "repobility-dependency-currency", "fingerprint": "65f2008cef92d78d457dfa11aa5e9ecff3c29e16689976bc410ccfab0ffe58c6", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsdown", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.22.2", "correlation_key": "fp|65f2008cef92d78d457dfa11aa5e9ecff3c29e16689976bc410ccfab0ffe58c6", "current_version": "0.22.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nitro-server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `nitro` is patch version(s) behind (^3.0.260522-beta -> 3.0.260603-beta)"}, "properties": {"repobilityId": 81476, "scanner": "repobility-dependency-currency", "fingerprint": "8b1df5c2d56719ad0348a0848f3d9db4c485b865e4072b865c3abff9ee1417a9", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "nitro", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.260603-beta", "correlation_key": "fp|8b1df5c2d56719ad0348a0848f3d9db4c485b865e4072b865c3abff9ee1417a9", "current_version": "^3.0.260522-beta"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nitro-server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@unhead/vue` is patch version(s) behind (^3.1.1 -> 3.1.3)"}, "properties": {"repobilityId": 81475, "scanner": "repobility-dependency-currency", "fingerprint": "27e6e544c47f300fa91bff33d922a311289cf975fe6d38d54310a9c62b36f929", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@unhead/vue", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.3", "correlation_key": "fp|27e6e544c47f300fa91bff33d922a311289cf975fe6d38d54310a9c62b36f929", "current_version": "^3.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nitro-server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `tsdown` is patch version(s) behind (0.22.1 -> 0.22.2)"}, "properties": {"repobilityId": 81474, "scanner": "repobility-dependency-currency", "fingerprint": "4fc386fa795d2e195a3348ff1f80dc36b7d495bcfef367339b2d50c09ee85e19", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsdown", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.22.2", "correlation_key": "fp|4fc386fa795d2e195a3348ff1f80dc36b7d495bcfef367339b2d50c09ee85e19", "current_version": "0.22.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rspack/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `ts-checker-rspack-plugin` is patch version(s) behind (^1.3.1 -> 1.3.2)"}, "properties": {"repobilityId": 81472, "scanner": "repobility-dependency-currency", "fingerprint": "1cf020fdb9eee93c2ace97aba38cff800ed235e88b698f35e9e9d5f96893fac3", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "ts-checker-rspack-plugin", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.3.2", "correlation_key": "fp|1cf020fdb9eee93c2ace97aba38cff800ed235e88b698f35e9e9d5f96893fac3", "current_version": "^1.3.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rspack/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `memfs` is patch version(s) behind (^4.57.3 -> 4.57.6)"}, "properties": {"repobilityId": 81471, "scanner": "repobility-dependency-currency", "fingerprint": "44ffa457780b4b070d52d5a3d4592641284d37506178a21dbcbfcdc2e1a78f98", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "memfs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.57.6", "correlation_key": "fp|44ffa457780b4b070d52d5a3d4592641284d37506178a21dbcbfcdc2e1a78f98", "current_version": "^4.57.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rspack/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `tsdown` is patch version(s) behind (0.22.1 -> 0.22.2)"}, "properties": {"repobilityId": 81470, "scanner": "repobility-dependency-currency", "fingerprint": "1b6c5d6256452c5a133bf09892afcf3888b28a0d4391b894105e22c8e5c7fc4b", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsdown", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.22.2", "correlation_key": "fp|1b6c5d6256452c5a133bf09892afcf3888b28a0d4391b894105e22c8e5c7fc4b", "current_version": "0.22.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/webpack/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `memfs` is patch version(s) behind (^4.57.3 -> 4.57.6)"}, "properties": {"repobilityId": 81468, "scanner": "repobility-dependency-currency", "fingerprint": "e3561c40484878c5731164c947adbb466cefe713565d8ef3345fa7b1c0bd353b", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "memfs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.57.6", "correlation_key": "fp|e3561c40484878c5731164c947adbb466cefe713565d8ef3345fa7b1c0bd353b", "current_version": "^4.57.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/webpack/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `tsdown` is patch version(s) behind (0.22.1 -> 0.22.2)"}, "properties": {"repobilityId": 81467, "scanner": "repobility-dependency-currency", "fingerprint": "735b79398bf41f153e8f108b61b144a091db5ba2ffa71416e2fb4f21f1a5b258", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsdown", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.22.2", "correlation_key": "fp|735b79398bf41f153e8f108b61b144a091db5ba2ffa71416e2fb4f21f1a5b258", "current_version": "0.22.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `nitro` is patch version(s) behind (3.0.260522-beta -> 3.0.260603-beta)"}, "properties": {"repobilityId": 81466, "scanner": "repobility-dependency-currency", "fingerprint": "16709a94abc005ec884033bcaec7dddf5ee36e7c13381218490d13ebbb3cd24a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "nitro", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.260603-beta", "correlation_key": "fp|16709a94abc005ec884033bcaec7dddf5ee36e7c13381218490d13ebbb3cd24a", "current_version": "3.0.260522-beta"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `semver` is patch version(s) behind (^7.8.1 -> 7.8.2)"}, "properties": {"repobilityId": 81465, "scanner": "repobility-dependency-currency", "fingerprint": "7342cee39701700144a39595201ec379554457067cb922f77821f8bc6c6edf1a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "semver", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.8.2", "correlation_key": "fp|7342cee39701700144a39595201ec379554457067cb922f77821f8bc6c6edf1a", "current_version": "^7.8.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `postcss` is patch version(s) behind (^8.5.14 -> 8.5.15)"}, "properties": {"repobilityId": 81462, "scanner": "repobility-dependency-currency", "fingerprint": "18cee4d9d80371d2584bca9b72b9486a5ead40f6a2d40fdfcd5abe3b2296e3b6", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "postcss", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.5.15", "correlation_key": "fp|18cee4d9d80371d2584bca9b72b9486a5ead40f6a2d40fdfcd5abe3b2296e3b6", "current_version": "^8.5.14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/fixtures/basic/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `semver` is patch version(s) behind (7.8.1 -> 7.8.2)"}, "properties": {"repobilityId": 81461, "scanner": "repobility-dependency-currency", "fingerprint": "373b7d0d8e37fa623873f59294ac076d4bb38c46fe6e5910e05e4d1aa6dfa8c0", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "semver", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.8.2", "correlation_key": "fp|373b7d0d8e37fa623873f59294ac076d4bb38c46fe6e5910e05e4d1aa6dfa8c0", "current_version": "7.8.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `nitro` is patch version(s) behind (3.0.260522-beta -> 3.0.260603-beta)"}, "properties": {"repobilityId": 81460, "scanner": "repobility-dependency-currency", "fingerprint": "68cdc831a4c8d67bb10496ee2c6e00320ae260e811230f4bf98c56fe88867c51", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "nitro", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.260603-beta", "correlation_key": "fp|68cdc831a4c8d67bb10496ee2c6e00320ae260e811230f4bf98c56fe88867c51", "current_version": "3.0.260522-beta"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `memfs` is patch version(s) behind (4.57.3 -> 4.57.6)"}, "properties": {"repobilityId": 81459, "scanner": "repobility-dependency-currency", "fingerprint": "8e996fafa2695117be8f5f538ae6c310dd3f2fb5968ee8cd1173eb6958339669", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "memfs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.57.6", "correlation_key": "fp|8e996fafa2695117be8f5f538ae6c310dd3f2fb5968ee8cd1173eb6958339669", "current_version": "4.57.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vue/test-utils` is patch version(s) behind (2.4.10 -> 2.4.11)"}, "properties": {"repobilityId": 81458, "scanner": "repobility-dependency-currency", "fingerprint": "73b891fe39a101b9524560d772d29589933381ac8f15f44d541dedd9438a46c3", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vue/test-utils", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.4.11", "correlation_key": "fp|73b891fe39a101b9524560d772d29589933381ac8f15f44d541dedd9438a46c3", "current_version": "2.4.10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vitest/coverage-v8` is patch version(s) behind (4.1.7 -> 4.1.8)"}, "properties": {"repobilityId": 81457, "scanner": "repobility-dependency-currency", "fingerprint": "e53c585680dd3923eae8eaf93e9375c186959e4a1476605d55d7188ed5b47a41", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/coverage-v8", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.8", "correlation_key": "fp|e53c585680dd3923eae8eaf93e9375c186959e4a1476605d55d7188ed5b47a41", "current_version": "4.1.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@unhead/vue` is patch version(s) behind (3.1.1 -> 3.1.3)"}, "properties": {"repobilityId": 81456, "scanner": "repobility-dependency-currency", "fingerprint": "1f62c1a0878bbe36002a9c83190c8a92217116cecf5a25c61bf62fb8c06a77c7", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@unhead/vue", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.3", "correlation_key": "fp|1f62c1a0878bbe36002a9c83190c8a92217116cecf5a25c61bf62fb8c06a77c7", "current_version": "3.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 81524, "scanner": "repobility-threat-engine", "fingerprint": "465bfcb5aa2abb2dd310b0bc5f0d1a9a8fed754773964ed80f968f8b114e6946", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(escapeRegExp", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|465bfcb5aa2abb2dd310b0bc5f0d1a9a8fed754773964ed80f968f8b114e6946"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/utils/transpile.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 81523, "scanner": "repobility-threat-engine", "fingerprint": "811a1f207f29b1c34752b7f836612aa4b397f110bd786dff18029b2231b82087", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(key", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|811a1f207f29b1c34752b7f836612aa4b397f110bd786dff18029b2231b82087"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vite/src/plugins/dev-server.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 81522, "scanner": "repobility-threat-engine", "fingerprint": "96422a9ffc2dd80ebd3cc10c5e8316f87089ff3f7617c34d3273d498c996658e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(escapeStringRegexp", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|96422a9ffc2dd80ebd3cc10c5e8316f87089ff3f7617c34d3273d498c996658e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/core/modules.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 81521, "scanner": "repobility-threat-engine", "fingerprint": "218acce8c848cfe0f09544912cc1304e4040872b2b1db461b764197dc880ba16", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([pascalName, type]) => `export const ${pascalName}: ${type}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|218acce8c848cfe0f09544912cc1304e4040872b2b1db461b764197dc880ba16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/components/templates.ts"}, "region": {"startLine": 185}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 81518, "scanner": "repobility-threat-engine", "fingerprint": "c12b4dd86f463ef07863196e10bdf7c39e2afd588ce4b6276017bd615bc1f0b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(search", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c12b4dd86f463ef07863196e10bdf7c39e2afd588ce4b6276017bd615bc1f0b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/core/utils/plugins.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 81517, "scanner": "repobility-threat-engine", "fingerprint": "59f6c330ed60d598ee011ee2afb52e72e26ecb37b3a3b11e666b632cd7b610cf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(code", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|59f6c330ed60d598ee011ee2afb52e72e26ecb37b3a3b11e666b632cd7b610cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/core/plugins/async-context.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 81516, "scanner": "repobility-threat-engine", "fingerprint": "78ba6a2acbd1b5bf1d02bee0d7a18e5b916e6c21f918d78f955ffcfaf0de11fc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(code", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|78ba6a2acbd1b5bf1d02bee0d7a18e5b916e6c21f918d78f955ffcfaf0de11fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/components/plugins/component-names.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 81510, "scanner": "repobility-threat-engine", "fingerprint": "b5a7b7815a61945137adae92960fef300e2c5c29098aef79c0f821982964bae2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fileResults.delete(absolutePath)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b5a7b7815a61945137adae92960fef300e2c5c29098aef79c0f821982964bae2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/compiler/module.ts"}, "region": {"startLine": 166}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 81509, "scanner": "repobility-threat-engine", "fingerprint": "8df6ddda5f51a9d4959c3aaeedf407e038a746097507bec3dff727fadf515880", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "middlewareEntries.delete(guard)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8df6ddda5f51a9d4959c3aaeedf407e038a746097507bec3dff727fadf515880"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/app/plugins/router.ts"}, "region": {"startLine": 262}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 81508, "scanner": "repobility-threat-engine", "fingerprint": "ea1b84d19eeb4d64979ea944450cdb52d57b9afc7a2610f76963379630c3ab32", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "forwardedPrefetchEntries.delete(to.path)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea1b84d19eeb4d64979ea944450cdb52d57b9afc7a2610f76963379630c3ab32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/nuxt/src/app/plugins/payload.client.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 81490, "scanner": "repobility-threat-engine", "fingerprint": "ca0562691f5f50badb0495c26da2c7d915e8ca8476f8f6e63f925d4f40f2aef9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ca0562691f5f50badb0495c26da2c7d915e8ca8476f8f6e63f925d4f40f2aef9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/src/loader/nuxt.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 81489, "scanner": "repobility-threat-engine", "fingerprint": "15f5b1aa4249cfbf475f7773cdc7e8560cc4706c6b0b427631cc41bb81bd54d4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|15f5b1aa4249cfbf475f7773cdc7e8560cc4706c6b0b427631cc41bb81bd54d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/src/loader/config.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 81488, "scanner": "repobility-threat-engine", "fingerprint": "54d619b2b6b6ab61150a45d39d07fcf0e18ce7727fbb95f6f6d2f0bcb8dcf303", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|54d619b2b6b6ab61150a45d39d07fcf0e18ce7727fbb95f6f6d2f0bcb8dcf303"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kit/src/internal/esm.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 81483, "scanner": "repobility-threat-engine", "fingerprint": "657d9bdf8b6cd0475a8afaf0184b0510121a571edadf010c7fd03f7ef03481e6", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(/(?:export\\s+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|nuxt.config.ts|33|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "nuxt.config.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.PROJECT_ACCESS_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 81455, "scanner": "repobility-supply-chain", "fingerprint": "65f12bd9d7f5c92ba42527db631be77e75190c79edeb255de9bcf84e8f8e300a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65f12bd9d7f5c92ba42527db631be77e75190c79edeb255de9bcf84e8f8e300a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/team-triage.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.PROJECT_ACCESS_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 81454, "scanner": "repobility-supply-chain", "fingerprint": "903bf4a1a50028f6ecf0ab51e8720aa1cb1db0bdc1dcb7ce14e7bcf0fbc14824", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|903bf4a1a50028f6ecf0ab51e8720aa1cb1db0bdc1dcb7ce14e7bcf0fbc14824"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/team-triage.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DISCORD_DISCUSSIONS_CHANNEL_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 81453, "scanner": "repobility-supply-chain", "fingerprint": "49f7be79d364e04566ed7364fcca14056d0d1bf1f214e37f77431db157760b5e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|49f7be79d364e04566ed7364fcca14056d0d1bf1f214e37f77431db157760b5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/team-triage.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DISCORD_BOT_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 81452, "scanner": "repobility-supply-chain", "fingerprint": "856c23a5cee47b07679b541b34d8f97c7ffb963221981445cdbd43cfdd6c4365", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|856c23a5cee47b07679b541b34d8f97c7ffb963221981445cdbd43cfdd6c4365"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/team-triage.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.BRIDGE_GITHUB_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 81451, "scanner": "repobility-supply-chain", "fingerprint": "bd119ba4def0d5cf58f4ed8b5e40a677dfb57b592b7f26b1164598ec6fc511b8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd119ba4def0d5cf58f4ed8b5e40a677dfb57b592b7f26b1164598ec6fc511b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/notify-nuxt-bridge.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 81450, "scanner": "repobility-supply-chain", "fingerprint": "9d97fd1d509af6a26f7ca56e22c5f7928a2f718736f96b8e70040ede00899a67", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d97fd1d509af6a26f7ca56e22c5f7928a2f718736f96b8e70040ede00899a67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 382}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CODSPEED_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 81449, "scanner": "repobility-supply-chain", "fingerprint": "16d9ca42488489d31052b23c021b8c11bf95ee423fd4510ccf13a9ffb1ee350e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16d9ca42488489d31052b23c021b8c11bf95ee423fd4510ccf13a9ffb1ee350e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 321}}}]}]}]}