{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "GHSA-48c2-rrv3-qjmp", "name": "yaml: GHSA-48c2-rrv3-qjmp", "shortDescription": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "fullDescription": {"text": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2v4-37r5-5v8g", "name": "ip-address: GHSA-v2v4-37r5-5v8g", "shortDescription": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "fullDescription": {"text": "ip-address has XSS in Address6 HTML-emitting methods"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jp2q-39xq-3w4g", "name": "fast-xml-parser: GHSA-jp2q-39xq-3w4g", "shortDescription": {"text": "fast-xml-parser: GHSA-jp2q-39xq-3w4g"}, "fullDescription": {"text": "Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gh4j-gqv2-49f6", "name": "fast-xml-parser: GHSA-gh4j-gqv2-49f6", "shortDescription": {"text": "fast-xml-parser: GHSA-gh4j-gqv2-49f6"}, "fullDescription": {"text": "fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `electron-vite` is 1 major version(s) behind (^4.0.1 -> 5.0.0)", "shortDescription": {"text": "npm package `electron-vite` is 1 major version(s) behind (^4.0.1 -> 5.0.0)"}, "fullDescription": {"text": "`electron-vite` is pinned/resolved at ^4.0.1 but the latest stable release on the npm registry is 5.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "GHSA-fj3w-jwp8-x2g3", "name": "fast-xml-parser: GHSA-fj3w-jwp8-x2g3", "shortDescription": {"text": "fast-xml-parser: GHSA-fj3w-jwp8-x2g3"}, "fullDescription": {"text": "fast-xml-parser has stack overflow in XMLBuilder with preserveOrder"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vpq2-c234-7xj6", "name": "@tootallnate/once: GHSA-vpq2-c234-7xj6", "shortDescription": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "fullDescription": {"text": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC007", "name": "Generated build artifact directory is present at repository root", "shortDescription": {"text": "Generated build artifact directory is present at repository root"}, "fullDescription": {"text": "Committed build outputs and caches make scans slower, confuse duplicate-code checks, and give AI agents stale generated code to imitate."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 64 more): Same pattern found in 64 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 64 more): Same pattern found in 64 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 27 more): Same pattern found in 27 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2wj-q39q-566r", "name": "vite: GHSA-v2wj-q39q-566r", "shortDescription": {"text": "vite: GHSA-v2wj-q39q-566r"}, "fullDescription": {"text": "Vite: `server.fs.deny` bypassed with queries"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p9ff-h696-f583", "name": "vite: GHSA-p9ff-h696-f583", "shortDescription": {"text": "vite: GHSA-p9ff-h696-f583"}, "fullDescription": {"text": "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ph9p-34f9-6g65", "name": "tmp: GHSA-ph9p-34f9-6g65", "shortDescription": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "fullDescription": {"text": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r6q2-hw4h-h46w", "name": "tar: GHSA-r6q2-hw4h-h46w", "shortDescription": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "fullDescription": {"text": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qffp-2rhf-9h96", "name": "tar: GHSA-qffp-2rhf-9h96", "shortDescription": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "fullDescription": {"text": "tar has Hardlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9ppj-qmqm-q256", "name": "tar: GHSA-9ppj-qmqm-q256", "shortDescription": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "fullDescription": {"text": "node-tar Symlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8qq5-rm4j-mr97", "name": "tar: GHSA-8qq5-rm4j-mr97", "shortDescription": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "fullDescription": {"text": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-83g3-92jg-28cx", "name": "tar: GHSA-83g3-92jg-28cx", "shortDescription": {"text": "tar: GHSA-83g3-92jg-28cx"}, "fullDescription": {"text": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-34x7-hfp2-rc4v", "name": "tar: GHSA-34x7-hfp2-rc4v", "shortDescription": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "fullDescription": {"text": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mw96-cpmx-2vgc", "name": "rollup: GHSA-mw96-cpmx-2vgc", "shortDescription": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "fullDescription": {"text": "Rollup 4 has Arbitrary File Write via Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rf6f-7fwh-wjgh", "name": "flatted: GHSA-rf6f-7fwh-wjgh", "shortDescription": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "fullDescription": {"text": "Prototype Pollution via parse() in NodeJS flatted"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-25h7-pfq9-p65f", "name": "flatted: GHSA-25h7-pfq9-p65f", "shortDescription": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "fullDescription": {"text": "flatted vulnerable to unbounded recursion DoS in parse() revive phase"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8gc5-j5rx-235r", "name": "fast-xml-parser: GHSA-8gc5-j5rx-235r", "shortDescription": {"text": "fast-xml-parser: GHSA-8gc5-j5rx-235r"}, "fullDescription": {"text": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x6wf-f3px-wcqx", "name": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx", "shortDescription": {"text": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx"}, "fullDescription": {"text": "xmldom has XML node injection through unvalidated processing instruction serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wh4c-j3r5-mjhp", "name": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp", "shortDescription": {"text": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp"}, "fullDescription": {"text": "xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j759-j44w-7fr8", "name": "@xmldom/xmldom: GHSA-j759-j44w-7fr8", "shortDescription": {"text": "@xmldom/xmldom: GHSA-j759-j44w-7fr8"}, "fullDescription": {"text": "xmldom has XML node injection through unvalidated comment serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f6ww-3ggp-fr8h", "name": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h", "shortDescription": {"text": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h"}, "fullDescription": {"text": "xmldom has XML injection through unvalidated DocumentType serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2v35-w6hq-6mfw", "name": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw", "shortDescription": {"text": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw"}, "fullDescription": {"text": "xmldom: Uncontrolled recursion in XML serialization leads to DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7h2j-956f-4vf2", "name": "@isaacs/brace-expansion: GHSA-7h2j-956f-4vf2", "shortDescription": {"text": "@isaacs/brace-expansion: GHSA-7h2j-956f-4vf2"}, "fullDescription": {"text": "@isaacs/brace-expansion has Uncontrolled Resource Consumption"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-737v-mqg7-c878", "name": "defu: GHSA-737v-mqg7-c878", "shortDescription": {"text": "defu: GHSA-737v-mqg7-c878"}, "fullDescription": {"text": "defu: Prototype pollution via `__proto__` key in defaults argument"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `updater/win-amd64/ztools-agent.exe` committed in source repo", "shortDescription": {"text": "Binary file `updater/win-amd64/ztools-agent.exe` committed in source repo"}, "fullDescription": {"text": "`updater/win-amd64/ztools-agent.exe` is a .exe binary (2,936,320 bytes) committed to a repo that otherwise has 283 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `softprops/action-gh-release` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-5xrq-8626-4rwp", "name": "vitest: GHSA-5xrq-8626-4rwp", "shortDescription": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "fullDescription": {"text": "When Vitest UI server is listening, arbitrary file can be read and executed"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m7jm-9gc2-mpf2", "name": "fast-xml-parser: GHSA-m7jm-9gc2-mpf2", "shortDescription": {"text": "fast-xml-parser: GHSA-m7jm-9gc2-mpf2"}, "fullDescription": {"text": "fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1066"}, "properties": {"repository": "ZToolsCenter/ZTools", "repoUrl": "https://github.com/ZToolsCenter/ZTools", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 104800, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 104795, "scanner": "osv-scanner", "fingerprint": "50bb42596af5c9f077010621340b47a31a4c2078f9d0e01ee2b787647b74301a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 104791, "scanner": "osv-scanner", "fingerprint": "a2c12e2b28152cf8b2318c26eb42f38e3894a8280e15146de8ce046c997d7d89", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 104790, "scanner": "osv-scanner", "fingerprint": "fdef028f4a816ff49a3feddc8fea57767b8bd7a5285d824fe826196183701971", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 104781, "scanner": "osv-scanner", "fingerprint": "0b1dff5c952a767b7990e67b0d60cc580116a9b63b14cf0d44b920a59028efbf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 104779, "scanner": "osv-scanner", "fingerprint": "d9d26d972991fffb51a1613b08ac1e8e722be1c10191fb43cced54b770250e8d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 104775, "scanner": "osv-scanner", "fingerprint": "75f1cf8ff29d8d132d579513aad4027dbb5a93646863d8e7bc0c89343d3402ef", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 104773, "scanner": "osv-scanner", "fingerprint": "529a8e201067f66e4bcd0d6408bc6eece689220a5a65ec65438a230ab5b7cf66", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2v4-37r5-5v8g", "level": "warning", "message": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "properties": {"repobilityId": 104772, "scanner": "osv-scanner", "fingerprint": "62020e206e8925629e9ce81503c184fb7740327a8f08e1c3e188f1738ecc7bb4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42338"], "package": "ip-address", "rule_id": "GHSA-v2v4-37r5-5v8g", "scanner": "osv-scanner", "correlation_key": "vuln|ip-address|CVE-2026-42338|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jp2q-39xq-3w4g", "level": "warning", "message": {"text": "fast-xml-parser: GHSA-jp2q-39xq-3w4g"}, "properties": {"repobilityId": 104768, "scanner": "osv-scanner", "fingerprint": "1af445e3838603a8f4b9958ec59ad4eea551242cf22c0308f89fa61103a71acd", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33349"], "package": "fast-xml-parser", "rule_id": "GHSA-jp2q-39xq-3w4g", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-33349|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gh4j-gqv2-49f6", "level": "warning", "message": {"text": "fast-xml-parser: GHSA-gh4j-gqv2-49f6"}, "properties": {"repobilityId": 104767, "scanner": "osv-scanner", "fingerprint": "55c8ddf786242f8348f0e9bc58edaf2b984907cd428c9be51381737c1db7285a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41650"], "package": "fast-xml-parser", "rule_id": "GHSA-gh4j-gqv2-49f6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-41650|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 104764, "scanner": "osv-scanner", "fingerprint": "df9432682f1efa01d242974fb7d6c679d3a112195415b0ccdedda1d7decb9db5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 104763, "scanner": "osv-scanner", "fingerprint": "6ed3e11856b985dfd38b234bdeafe6eb9fdd6ace1789aa46a716324dba77d441", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 104762, "scanner": "osv-scanner", "fingerprint": "0b4075edd70eccc9e81ce84656b8a0c1040ecc83769ba1ed4fe7ce3796321c93", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 104753, "scanner": "osv-scanner", "fingerprint": "03aa1c7297c8b8c6d57dd5715284ab2799155808c2f9c43aca703bfa43efca46", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 104751, "scanner": "osv-scanner", "fingerprint": "8b51f9bca8927fe93ada941454d2bf21595d6744f3a95d724be36f158a8b5390", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 104749, "scanner": "osv-scanner", "fingerprint": "b449f11031619defaf5519e487d528efba6ed9e5b65a71c31f92670bb0114c1b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 104744, "scanner": "osv-scanner", "fingerprint": "daee82b65403a7a892112bac5c0019c10f8d87401b9ab625a31c2561a727bee9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 104743, "scanner": "repobility-threat-engine", "fingerprint": "eaa77a138524ba716affeffd4e8c3fb1d87e12cb2083b556681a614f1348c7b2", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractAll(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|166|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/utils/zpxArchive.ts"}, "region": {"startLine": 166}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 104741, "scanner": "repobility-threat-engine", "fingerprint": "2d3953bebec4af905f5795bf4d8b874f0f75c5578679f485f552793cba884f33", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ivate newAssemblyId(): string {\n    return `asm_${Date.now()}_${Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2d3953bebec4af905f5795bf4d8b874f0f75c5578679f485f552793cba884f33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/managers/pluginAssemblyCoordinator.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 104736, "scanner": "repobility-threat-engine", "fingerprint": "5850be57e09b47d101ff950a76b0c92fc9e7a31ccdcdb556d85f435ef69565df", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5850be57e09b47d101ff950a76b0c92fc9e7a31ccdcdb556d85f435ef69565df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/managers/pluginAssemblyCoordinator.ts"}, "region": {"startLine": 283}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 104735, "scanner": "repobility-threat-engine", "fingerprint": "cdd8910bcb7d2c399faa8dc67bcf4cedcb4e51a7796ac60937978c85b341ebaa", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cdd8910bcb7d2c399faa8dc67bcf4cedcb4e51a7796ac60937978c85b341ebaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/pluginWindowManager.ts"}, "region": {"startLine": 285}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 104734, "scanner": "repobility-threat-engine", "fingerprint": "3547ae1ad01b42a19467898a9cc12c566308fd8a93da7e797dd2bbff6718682d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3547ae1ad01b42a19467898a9cc12c566308fd8a93da7e797dd2bbff6718682d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/ffmpeg.ts"}, "region": {"startLine": 185}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 104710, "scanner": "repobility-threat-engine", "fingerprint": "6473b161a990fa2e13c6cc0952fb3734ed863f8c876e0e7beaedda0f8aef2def", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|31|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/commandLauncher/macLauncher.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 104709, "scanner": "repobility-threat-engine", "fingerprint": "44a67da5c90a26a92b4f0f12e18b77a38a60f2f4dc8df8ffaf199d8d42ae0276", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|71|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/commandLauncher/linuxLauncher.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 104708, "scanner": "repobility-threat-engine", "fingerprint": "d227de2310512625a38879ce290e41bacf79b6ed7b4f2f24a55d4b48386eb1bd", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|66|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/utils/themeUtils.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 104695, "scanner": "repobility-agent-runtime", "fingerprint": "cd83ec220f5e30f1b95e483147ced9e31d266db4fbe3b2d6e248e87ddbad175a", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|cd83ec220f5e30f1b95e483147ced9e31d266db4fbe3b2d6e248e87ddbad175a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/utils/lanzou.ts"}, "region": {"startLine": 247}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `electron-vite` is 1 major version(s) behind (^4.0.1 -> 5.0.0)"}, "properties": {"repobilityId": 104689, "scanner": "repobility-dependency-currency", "fingerprint": "101b5e3ab3867d2ea9c8c3dfaadaf8b01a226957c321d829a72c60dc321d094f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "electron-vite", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.0", "correlation_key": "fp|101b5e3ab3867d2ea9c8c3dfaadaf8b01a226957c321d829a72c60dc321d094f", "current_version": "^4.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `concurrently` is 1 major version(s) behind (^9.1.2 -> 10.0.3)"}, "properties": {"repobilityId": 104688, "scanner": "repobility-dependency-currency", "fingerprint": "bd49439ef4205c5e9cbce6baa8934d15d40c4c6e8b4c3bfc107103303a61e557", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "concurrently", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.3", "correlation_key": "fp|bd49439ef4205c5e9cbce6baa8934d15d40c4c6e8b4c3bfc107103303a61e557", "current_version": "^9.1.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/uuid` is 1 major version(s) behind (^10.0.0 -> 11.0.0)"}, "properties": {"repobilityId": 104686, "scanner": "repobility-dependency-currency", "fingerprint": "d6ce3c0a397c381f39ed0de22c29d4cef24de16ce4e441d01ed181b937b6e6d0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/uuid", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.0.0", "correlation_key": "fp|d6ce3c0a397c381f39ed0de22c29d4cef24de16ce4e441d01ed181b937b6e6d0", "current_version": "^10.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/marked` is 1 major version(s) behind (^5.0.2 -> 6.0.0)"}, "properties": {"repobilityId": 104685, "scanner": "repobility-dependency-currency", "fingerprint": "8876c0815a691dae60ddabc48813b932846e3f49e3f32e7313fe241e87aa3833", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/marked", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.0", "correlation_key": "fp|8876c0815a691dae60ddabc48813b932846e3f49e3f32e7313fe241e87aa3833", "current_version": "^5.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `uuid` is 1 major version(s) behind (^13.0.0 -> 14.0.0)"}, "properties": {"repobilityId": 104681, "scanner": "repobility-dependency-currency", "fingerprint": "6b910dae1083598b8349215f827fc49c2fa8be0d7a53b0e0902e8c660774a023", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "uuid", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "14.0.0", "correlation_key": "fp|6b910dae1083598b8349215f827fc49c2fa8be0d7a53b0e0902e8c660774a023", "current_version": "^13.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `marked` is 1 major version(s) behind (^17.0.1 -> 18.0.5)"}, "properties": {"repobilityId": 104676, "scanner": "repobility-dependency-currency", "fingerprint": "99cc6b3e0ee7c94894b51483a15014717fd803ee01ff9ec3fa5e00b47859d524", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "marked", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "18.0.5", "correlation_key": "fp|99cc6b3e0ee7c94894b51483a15014717fd803ee01ff9ec3fa5e00b47859d524", "current_version": "^17.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `chokidar` is 1 major version(s) behind (^4.0.3 -> 5.0.0)"}, "properties": {"repobilityId": 104672, "scanner": "repobility-dependency-currency", "fingerprint": "37465835554f10efac61c46b4f8dde31e3e0d88130bb2424c79e59120ba13d8f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chokidar", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.0", "correlation_key": "fp|37465835554f10efac61c46b4f8dde31e3e0d88130bb2424c79e59120ba13d8f", "current_version": "^4.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 104799, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 104798, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 104797, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 104796, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fj3w-jwp8-x2g3", "level": "note", "message": {"text": "fast-xml-parser: GHSA-fj3w-jwp8-x2g3"}, "properties": {"repobilityId": 104766, "scanner": "osv-scanner", "fingerprint": "ff48174273c736800346c107c36df4be991b176ccdbe3297a81bbad806d6894a", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27942"], "package": "fast-xml-parser", "rule_id": "GHSA-fj3w-jwp8-x2g3", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-27942|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vpq2-c234-7xj6", "level": "note", "message": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "properties": {"repobilityId": 104756, "scanner": "osv-scanner", "fingerprint": "573ec4a58862875e8ce61f54e2504d06b2ca4d339b9ec7540be71ab58ff09e02", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-3449"], "package": "@tootallnate/once", "rule_id": "GHSA-vpq2-c234-7xj6", "scanner": "osv-scanner", "correlation_key": "vuln|tootallnate/once|CVE-2026-3449|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `vue-eslint-parser` is minor version(s) behind (^10.2.0 -> 10.4.1)"}, "properties": {"repobilityId": 104694, "scanner": "repobility-dependency-currency", "fingerprint": "00b63f7197955d34fc1d0287905a431ca78d1cbee938ca17b6b9076da982e51e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "vue-eslint-parser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.4.1", "correlation_key": "fp|00b63f7197955d34fc1d0287905a431ca78d1cbee938ca17b6b9076da982e51e", "current_version": "^10.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `prettier` is minor version(s) behind (^3.6.2 -> 3.8.3)"}, "properties": {"repobilityId": 104693, "scanner": "repobility-dependency-currency", "fingerprint": "b2ea690645deb928407004357dceb7b0cca8cc34ea8ab4917abcfc5398b2ab0f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prettier", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.8.3", "correlation_key": "fp|b2ea690645deb928407004357dceb7b0cca8cc34ea8ab4917abcfc5398b2ab0f", "current_version": "^3.6.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `node-gyp` is minor version(s) behind (^12.1.0 -> 12.4.0)"}, "properties": {"repobilityId": 104692, "scanner": "repobility-dependency-currency", "fingerprint": "b56aed26fc6004098c11b465257f4f7f8d7c9fa6b7507bf7f737ad52dbbf2f21", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "node-gyp", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "12.4.0", "correlation_key": "fp|b56aed26fc6004098c11b465257f4f7f8d7c9fa6b7507bf7f737ad52dbbf2f21", "current_version": "^12.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `eslint-plugin-vue` is minor version(s) behind (^10.4.0 -> 10.9.2)"}, "properties": {"repobilityId": 104690, "scanner": "repobility-dependency-currency", "fingerprint": "5f98bbd225c66b9a292b90c24dfafdff269841bd3c9b9b33e80b1c1e8af67b70", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-vue", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.9.2", "correlation_key": "fp|5f98bbd225c66b9a292b90c24dfafdff269841bd3c9b9b33e80b1c1e8af67b70", "current_version": "^10.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `yaml` is minor version(s) behind (^2.8.2 -> 2.9.0)"}, "properties": {"repobilityId": 104683, "scanner": "repobility-dependency-currency", "fingerprint": "6d27242809985a1eea7236b5551ed2cb2125ecaa64acaafc897ec5d322af0ff2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "yaml", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.9.0", "correlation_key": "fp|6d27242809985a1eea7236b5551ed2cb2125ecaa64acaafc897ec5d322af0ff2", "current_version": "^2.8.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `webdav` is minor version(s) behind (^5.8.0 -> 5.10.0)"}, "properties": {"repobilityId": 104682, "scanner": "repobility-dependency-currency", "fingerprint": "24cad57c13190c9470ab52891c56658c8a8f64beaa0fe9e0ee7132cb2d258ad8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "webdav", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.10.0", "correlation_key": "fp|24cad57c13190c9470ab52891c56658c8a8f64beaa0fe9e0ee7132cb2d258ad8", "current_version": "^5.8.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `pinyin-pro` is minor version(s) behind (^3.24.2 -> 3.28.1)"}, "properties": {"repobilityId": 104677, "scanner": "repobility-dependency-currency", "fingerprint": "24b4d1b62d4bf8208de1d9cd943e6e58b47bfd54ca9fe83f58ca4b8f635e8171", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pinyin-pro", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.28.1", "correlation_key": "fp|24b4d1b62d4bf8208de1d9cd943e6e58b47bfd54ca9fe83f58ca4b8f635e8171", "current_version": "^3.24.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `lmdb` is minor version(s) behind (^3.4.4 -> 3.5.5)"}, "properties": {"repobilityId": 104675, "scanner": "repobility-dependency-currency", "fingerprint": "f3d030678881024db422fd1fc1008ce38d76c68c801ed80cc62a2ed20f4de5d2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "lmdb", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.5.5", "correlation_key": "fp|f3d030678881024db422fd1fc1008ce38d76c68c801ed80cc62a2ed20f4de5d2", "current_version": "^3.4.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `fuse.js` is minor version(s) behind (^7.0.0 -> 7.4.1)"}, "properties": {"repobilityId": 104674, "scanner": "repobility-dependency-currency", "fingerprint": "8071347cb7472bef89ba9763d3813c31bbab02f12b6335398511763371c15351", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "fuse.js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.4.1", "correlation_key": "fp|8071347cb7472bef89ba9763d3813c31bbab02f12b6335398511763371c15351", "current_version": "^7.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@electron/asar` is minor version(s) behind (^4.1.0 -> 4.2.0)"}, "properties": {"repobilityId": 104670, "scanner": "repobility-dependency-currency", "fingerprint": "cead14f82a5c7274dfed5ab8f7d77c9866a7b56440d41f4ecdeae9946795c05b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@electron/asar", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.2.0", "correlation_key": "fp|cead14f82a5c7274dfed5ab8f7d77c9866a7b56440d41f4ecdeae9946795c05b", "current_version": "^4.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104656, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d96fbfbbe556a4169795282d8a3344c4c66c13802663de2ffc85914e31c4200f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/renderer/src/components/detached/DetachedTitlebar.vue", "duplicate_line": 168, "correlation_key": "fp|d96fbfbbe556a4169795282d8a3344c4c66c13802663de2ffc85914e31c4200f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/components/updater/UpdateWindow.vue"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104655, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d20d8d34009ea365b0f9984aa8693c30dafe82caddae8af950ceedea94689763", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/renderer/src/App.vue", "duplicate_line": 242, "correlation_key": "fp|d20d8d34009ea365b0f9984aa8693c30dafe82caddae8af950ceedea94689763"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/components/updater/UpdateWindow.vue"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104654, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9cf5cabaa50444aec2fb446c44604a164e64f1c2f61b06e3f3edbf9bf0967cb1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/renderer/src/App.vue", "duplicate_line": 243, "correlation_key": "fp|9cf5cabaa50444aec2fb446c44604a164e64f1c2f61b06e3f3edbf9bf0967cb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/components/detached/DetachedTitlebar.vue"}, "region": {"startLine": 159}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104653, "scanner": "repobility-ai-code-hygiene", "fingerprint": "182613ef447b3009064a8a6a57136eb446bbe0986ee8244091439657682328e1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/renderer/src/components/common/MainPushList.vue", "duplicate_line": 110, "correlation_key": "fp|182613ef447b3009064a8a6a57136eb446bbe0986ee8244091439657682328e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/components/common/VerticalList.vue"}, "region": {"startLine": 102}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104652, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6aca8d592cfb3646254054bdbe37e896e7249dc3b31bec297d457f68f0f58c59", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/components/common/DetailPanel/DetailPanel.vue", "duplicate_line": 25, "correlation_key": "fp|6aca8d592cfb3646254054bdbe37e896e7249dc3b31bec297d457f68f0f58c59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/components/common/DetailPanel.vue"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104651, "scanner": "repobility-ai-code-hygiene", "fingerprint": "38d6f75c3304e24972485f804127575352d4ad239334c19cb2280949b9e0f8fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/views/DataSetting/DataSetting.vue", "duplicate_line": 398, "correlation_key": "fp|38d6f75c3304e24972485f804127575352d4ad239334c19cb2280949b9e0f8fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/components/common/CommandList.vue"}, "region": {"startLine": 253}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104650, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c4a336ccbc5794e34006643d3ec284fc006740ae2eeffd8c0b4e90ce2f220e19", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/components/common/AdaptiveIcon/AdaptiveIcon.vue", "duplicate_line": 48, "correlation_key": "fp|c4a336ccbc5794e34006643d3ec284fc006740ae2eeffd8c0b4e90ce2f220e19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/components/common/AdaptiveIcon.vue"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104649, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b38d088a06705bb6876781288695f7928b856039d633637e6f35db5fe008c2a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/httpServer.ts", "duplicate_line": 55, "correlation_key": "fp|6b38d088a06705bb6876781288695f7928b856039d633637e6f35db5fe008c2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/mcpServer.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104648, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e9a892cb59c94302479678f9197877b5238d9ed87d11067bed334c4c5707c0c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/commandLauncher/linuxLauncher.ts", "duplicate_line": 31, "correlation_key": "fp|e9a892cb59c94302479678f9197877b5238d9ed87d11067bed334c4c5707c0c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/commandLauncher/windowsLauncher.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104647, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ba6797bc2d0f98fe843d8ece6b7e3a75caa9e51b3c2e73d633c3c7bcf3ef74e1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/core/commandLauncher/linuxLauncher.ts", "duplicate_line": 32, "correlation_key": "fp|ba6797bc2d0f98fe843d8ece6b7e3a75caa9e51b3c2e73d633c3c7bcf3ef74e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/commandLauncher/macLauncher.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104646, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9cb0d14bd210ba5f819256a619c58d82d4ab509f579328ede1ce600af09916a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/api/index.ts", "duplicate_line": 43, "correlation_key": "fp|d9cb0d14bd210ba5f819256a619c58d82d4ab509f579328ede1ce600af09916a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/api/renderer/settings.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104645, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8a842e7564d08371d5fd00ec62be006b388987b7f3599a98594fa825a72a0b5d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/views/AiModelsSetting/components/AiModelEditor/AiModelEditor.vue", "duplicate_line": 144, "correlation_key": "fp|8a842e7564d08371d5fd00ec62be006b388987b7f3599a98594fa825a72a0b5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/views/WebSearchSetting/components/WebSearchEditor/WebSearchEditor.vue"}, "region": {"startLine": 241}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104644, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91ce6fd29560a5eb71a333e06785478fdb7c04144f8f1fba337cdc1cd95bd37a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/views/AiModelsSetting/AiModelsSetting.vue", "duplicate_line": 166, "correlation_key": "fp|91ce6fd29560a5eb71a333e06785478fdb7c04144f8f1fba337cdc1cd95bd37a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/views/WebSearchSetting/WebSearchSetting.vue"}, "region": {"startLine": 190}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104643, "scanner": "repobility-ai-code-hygiene", "fingerprint": "61068cc13c6755d98594ac00c291049aba99a3c52b606d2931af1c7ee2c65a91", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/views/HttpServiceSetting/HttpServiceSetting.vue", "duplicate_line": 231, "correlation_key": "fp|61068cc13c6755d98594ac00c291049aba99a3c52b606d2931af1c7ee2c65a91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/views/SyncSetting/SyncSetting.vue"}, "region": {"startLine": 340}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104642, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d6b794ee03b2a7902fee9518adb8c9a01781620ab1009a81a68bdfb44de85bfd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/components/common/PluginDetail/PluginDetailTabs.vue", "duplicate_line": 240, "correlation_key": "fp|d6b794ee03b2a7902fee9518adb8c9a01781620ab1009a81a68bdfb44de85bfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/views/PluginMarketSetting/components/PluginDetail/PluginDetail.vue"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104641, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4159d0d98e9f06655111e5b3622b25b1c9b4c646d2abf3d48a2f5ba88247d83e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/components/common/PluginDetail/PluginDetailHeader.vue", "duplicate_line": 68, "correlation_key": "fp|4159d0d98e9f06655111e5b3622b25b1c9b4c646d2abf3d48a2f5ba88247d83e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/views/PluginMarketSetting/components/PluginCard/PluginCard.vue"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104640, "scanner": "repobility-ai-code-hygiene", "fingerprint": "47f61403ff33608549e2cccaa7e6a7c84e312a2d1e67d3679dfcebadd03f8a73", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/views/PluginMarketSetting/PluginMarketSetting.vue", "duplicate_line": 685, "correlation_key": "fp|47f61403ff33608549e2cccaa7e6a7c84e312a2d1e67d3679dfcebadd03f8a73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/views/PluginMarketSetting/components/CategoryDetail/CategoryDetail.vue"}, "region": {"startLine": 138}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104639, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c2e272b9f1720b0f05a53728a2333a18b56fa42852daf1ff63a64f5f40557f6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/views/AiModelsSetting/AiModelsSetting.vue", "duplicate_line": 244, "correlation_key": "fp|1c2e272b9f1720b0f05a53728a2333a18b56fa42852daf1ff63a64f5f40557f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/views/PluginMarketSetting/PluginMarketSetting.vue"}, "region": {"startLine": 628}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104638, "scanner": "repobility-ai-code-hygiene", "fingerprint": "94707ce8af125e4e1b891ae6d563bfb1886bcf7e7e2dfb93a52483dc35fd1029", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/components/common/ConfirmDialog/ConfirmDialog.vue", "duplicate_line": 107, "correlation_key": "fp|94707ce8af125e4e1b891ae6d563bfb1886bcf7e7e2dfb93a52483dc35fd1029"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/views/PluginInstaller/PluginInstaller.vue"}, "region": {"startLine": 418}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104637, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8a4cdd333ddeb1b4d43869e06e96345ff5e204eea5a1fb9e0ea8c39ce1ee22dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/views/HttpServiceSetting/HttpServiceSetting.vue", "duplicate_line": 242, "correlation_key": "fp|8a4cdd333ddeb1b4d43869e06e96345ff5e204eea5a1fb9e0ea8c39ce1ee22dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/views/McpServiceSetting/McpServiceSetting.vue"}, "region": {"startLine": 306}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104636, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eaef0df16bc84dc769f42c91782b7186d15ef54917e09251fbd5ce30158a4e2e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/views/AiModelsSetting/AiModelsSetting.vue", "duplicate_line": 166, "correlation_key": "fp|eaef0df16bc84dc769f42c91782b7186d15ef54917e09251fbd5ce30158a4e2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/views/LocalLaunchSetting/LocalLaunchSetting.vue"}, "region": {"startLine": 353}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104635, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4cd0027549d25ddfbdbc2157466b4074290c2838f58b266f135c94da631967fa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/components/common/PluginDetail/PluginDetailTabs.vue", "duplicate_line": 471, "correlation_key": "fp|4cd0027549d25ddfbdbc2157466b4074290c2838f58b266f135c94da631967fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/views/DataSetting/DataSetting.vue"}, "region": {"startLine": 477}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104634, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5fc0b2babba831a8a472919bcf3ff13dedd00382f680b57b3f00a53068007d2a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/views/AiModelsSetting/AiModelsSetting.vue", "duplicate_line": 239, "correlation_key": "fp|5fc0b2babba831a8a472919bcf3ff13dedd00382f680b57b3f00a53068007d2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/views/DataSetting/DataSetting.vue"}, "region": {"startLine": 272}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104633, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58a69b793e816221b22a3463f4668bf5a05dbe6306e8efcb0d9ae66b4227f4f7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/components/common/Dropdown/Dropdown.vue", "duplicate_line": 184, "correlation_key": "fp|58a69b793e816221b22a3463f4668bf5a05dbe6306e8efcb0d9ae66b4227f4f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/components/common/TagDropdown/TagDropdown.vue"}, "region": {"startLine": 144}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104632, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4033b87ac1a707d45002742a6e147dd2bb06ac4c3edf843c4aa179e26b9d989", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/components/common/PluginDetail/PluginDetail.vue", "duplicate_line": 42, "correlation_key": "fp|f4033b87ac1a707d45002742a6e147dd2bb06ac4c3edf843c4aa179e26b9d989"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/components/common/PluginDetail/usePluginDetail.ts"}, "region": {"startLine": 431}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104631, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ab6cf598a023644c2e6837d61315b6ff6db676045011cbaad31df58b17cebfc0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/components/common/PluginDetail/PluginDetailTabs.vue", "duplicate_line": 39, "correlation_key": "fp|ab6cf598a023644c2e6837d61315b6ff6db676045011cbaad31df58b17cebfc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/components/common/PluginDetail/usePluginDetail.ts"}, "region": {"startLine": 311}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104630, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7b2d51923ae834582cd3183c26a692a8cd4a17fc8ff103c6bbfdf7958c3eb80c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/components/common/PluginDetail/PluginDetailHeader.vue", "duplicate_line": 308, "correlation_key": "fp|7b2d51923ae834582cd3183c26a692a8cd4a17fc8ff103c6bbfdf7958c3eb80c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/components/common/PluginDetail/PluginDetailTabs.vue"}, "region": {"startLine": 271}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104629, "scanner": "repobility-ai-code-hygiene", "fingerprint": "739a7c1481dd009cb783d19a054d638c14f83f3794d9207d0b2e6044de5275cc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/components/common/PluginDetail/PluginDetail.vue", "duplicate_line": 209, "correlation_key": "fp|739a7c1481dd009cb783d19a054d638c14f83f3794d9207d0b2e6044de5275cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/components/common/PluginDetail/PluginDetailHeader.vue"}, "region": {"startLine": 360}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104628, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca149f1063127b39566e6fe93b9de17f5b944c62da023000d3b931f4b1b356b4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/components/common/CommandCard/CommandCard.vue", "duplicate_line": 15, "correlation_key": "fp|ca149f1063127b39566e6fe93b9de17f5b944c62da023000d3b931f4b1b356b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/components/common/FeatureCard/FeatureCard.vue"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 104627, "scanner": "repobility-ai-code-hygiene", "fingerprint": "02a5f3856966f3ffd0ebea14c987987d476bc5ab653847be1be7d29940c5d0ca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal-plugins/setting/src/components/common/CommandTag/CommandTag.vue", "duplicate_line": 100, "correlation_key": "fp|02a5f3856966f3ffd0ebea14c987987d476bc5ab653847be1be7d29940c5d0ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/components/common/Dropdown/Dropdown.vue"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC007", "level": "note", "message": {"text": "Generated build artifact directory is present at repository root"}, "properties": {"repobilityId": 104626, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1", "category": "quality", "severity": "low", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a common generated artifact directory.", "evidence": {"rule_id": "AIC007", "scanner": "repobility-ai-code-hygiene", "directory": "build", "references": ["https://git-scm.com/docs/gitignore", "https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 104738, "scanner": "repobility-threat-engine", "fingerprint": "60aee5d2d74d248103ea743b6d0414ce81858b9242eed88f7e1bc110b3bf8844", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`[Proxy] ${name} \u5df2\u5e94\u7528\u81ea\u5b9a\u4e49\u4ee3\u7406: ${this.currentConfig.proxyRules}`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|7|console.log proxy name : token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/managers/proxyManager.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 104737, "scanner": "repobility-threat-engine", "fingerprint": "89c2dd29b105e98ce92c3727f21ed2e68129dcc6724ccc22d37406d4d6497714", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.error(`[HttpServer] \u7aef\u53e3 ${this.config.port} \u5df2\u88ab\u5360\u7528`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|src/main/core/httpserver.ts|8|console.error httpserver this.config.port"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/httpServer.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 104733, "scanner": "repobility-threat-engine", "fingerprint": "8ef4fc4a1d1afa020d5157bc26f8e97b25b84982c476e0fc9fc2b462b5f52536", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8ef4fc4a1d1afa020d5157bc26f8e97b25b84982c476e0fc9fc2b462b5f52536", "aggregated_count": 6}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 104732, "scanner": "repobility-threat-engine", "fingerprint": "ff4dd8aa3955044d60055d15a41722fe07642b3bd39ab27d8bb19390487543a9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff4dd8aa3955044d60055d15a41722fe07642b3bd39ab27d8bb19390487543a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/api/renderer/commandMatchers.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 104731, "scanner": "repobility-threat-engine", "fingerprint": "079f06197f53c4392ed1a27544ce4e75e7caef92d15f298113e6f18ca5051dda", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|079f06197f53c4392ed1a27544ce4e75e7caef92d15f298113e6f18ca5051dda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/api/plugin/window.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 104730, "scanner": "repobility-threat-engine", "fingerprint": "1a1505d98d10e2a616e0222f2a55c10bf31172fd89f7c8b636515f22d37251d7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a1505d98d10e2a616e0222f2a55c10bf31172fd89f7c8b636515f22d37251d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/api/plugin/input.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 104729, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 104728, "scanner": "repobility-threat-engine", "fingerprint": "5c8c075e1e0333667cb36f2f7cf92761f70cca7e2a14771385886ed801d15bd5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5c8c075e1e0333667cb36f2f7cf92761f70cca7e2a14771385886ed801d15bd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/common/iconUtils.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 104727, "scanner": "repobility-threat-engine", "fingerprint": "f2891a37e295992860daa92ea09861b447e4ea35ec91608c5c4882d838b0108a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2891a37e295992860daa92ea09861b447e4ea35ec91608c5c4882d838b0108a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/api/shared/imageAnalysis.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 104726, "scanner": "repobility-threat-engine", "fingerprint": "591c66d9e815fa22913641cdf5cb43c744a964ea6c65cd4e7f5747334b27bd2e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|591c66d9e815fa22913641cdf5cb43c744a964ea6c65cd4e7f5747334b27bd2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/api/plugin/http.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 104725, "scanner": "repobility-threat-engine", "fingerprint": "2a90f201efe0fa0c5dec20cc574f41ea779c24e8a2731e92a392ebdb37082c00", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2a90f201efe0fa0c5dec20cc574f41ea779c24e8a2731e92a392ebdb37082c00"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 104719, "scanner": "repobility-threat-engine", "fingerprint": "a0769f34321ccb4a2408866410ff258332c2e3d0c176eda236c0efe5490d0026", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a0769f34321ccb4a2408866410ff258332c2e3d0c176eda236c0efe5490d0026"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 104715, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 104711, "scanner": "repobility-threat-engine", "fingerprint": "2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 104707, "scanner": "repobility-threat-engine", "fingerprint": "769c18fadda3776f4c38242101c83cdc970a936cb8fb23d80e2d64c6a29f9cf6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|769c18fadda3776f4c38242101c83cdc970a936cb8fb23d80e2d64c6a29f9cf6", "aggregated_count": 5}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 104706, "scanner": "repobility-threat-engine", "fingerprint": "26d2fc75844ac47376b649ffb994b28671d8f4a2838209943357e4d7dbd0e482", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|26d2fc75844ac47376b649ffb994b28671d8f4a2838209943357e4d7dbd0e482"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/api/plugin/window.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 104705, "scanner": "repobility-threat-engine", "fingerprint": "391941b53517aa5613e5147e185a4b1db033d687e5af9fe4a56c804bb762b351", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|391941b53517aa5613e5147e185a4b1db033d687e5af9fe4a56c804bb762b351"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/api/plugin/http.ts"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 104704, "scanner": "repobility-threat-engine", "fingerprint": "27409c7d75393707261233440553facd677266b386bc1129e7976a90b9accbf3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|27409c7d75393707261233440553facd677266b386bc1129e7976a90b9accbf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/events/codeEvent/ZtoolsCodeEvent.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 64 more): Same pattern found in 64 additional files. Review if needed."}, "properties": {"repobilityId": 104703, "scanner": "repobility-threat-engine", "fingerprint": "0053b5d9f4dc69b09e568e885f9d0906d2e490f422b43d51e27ae29bec667001", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 64 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0053b5d9f4dc69b09e568e885f9d0906d2e490f422b43d51e27ae29bec667001", "aggregated_count": 64}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 104702, "scanner": "repobility-threat-engine", "fingerprint": "cd21a5b776a52a73084c36e2b859ccafdd6e5b89a83b9ef2547f8e2af993ea06", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cd21a5b776a52a73084c36e2b859ccafdd6e5b89a83b9ef2547f8e2af993ea06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/main.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 104701, "scanner": "repobility-threat-engine", "fingerprint": "9489ba33cad613c239774938b89eaf2e8d86971594fc5db94fe18c70601eb1df", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9489ba33cad613c239774938b89eaf2e8d86971594fc5db94fe18c70601eb1df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/events/codeEvent/ZtoolsCodeEvent.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 104700, "scanner": "repobility-threat-engine", "fingerprint": "41c659efb3572f7b77d3d0b15d731931648d5698113321bacc6cfdabe20d0edf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41c659efb3572f7b77d3d0b15d731931648d5698113321bacc6cfdabe20d0edf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/events/allCodeEvent.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 104699, "scanner": "repobility-threat-engine", "fingerprint": "94f74923c8c7d4a15bd0052ef38b34f810eb178024375a04743e43f6095f5fa9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|94f74923c8c7d4a15bd0052ef38b34f810eb178024375a04743e43f6095f5fa9", "aggregated_count": 27}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 104698, "scanner": "repobility-threat-engine", "fingerprint": "688bdf08bb6dad91d2677f71161d70f5ecf6f2c985d77ac9ff8d089f9cdcaadc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|688bdf08bb6dad91d2677f71161d70f5ecf6f2c985d77ac9ff8d089f9cdcaadc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/utils/pluginUpgrade.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 104697, "scanner": "repobility-threat-engine", "fingerprint": "e5af1b92bd735054df711e161bab2721185f211c93ef8ee30161981cfe613bfb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e5af1b92bd735054df711e161bab2721185f211c93ef8ee30161981cfe613bfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/events/codeEvent/ZtoolsCodeEvent.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 104696, "scanner": "repobility-threat-engine", "fingerprint": "6c8ac17afd32ac09d3c99813278f3a0d5d232a66f2a3396521e51fa31a6b403c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6c8ac17afd32ac09d3c99813278f3a0d5d232a66f2a3396521e51fa31a6b403c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/components/common/MatchCommandDetailDialog/MatchCommandDetailDialog.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `fs-extra` is patch version(s) behind (^11.3.4 -> 11.3.5)"}, "properties": {"repobilityId": 104691, "scanner": "repobility-dependency-currency", "fingerprint": "b661dbae40661c00ff1e0abcc3a8fe75b385aa607abb9aab2f345f0866d28993", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "fs-extra", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.3.5", "correlation_key": "fp|b661dbae40661c00ff1e0abcc3a8fe75b385aa607abb9aab2f345f0866d28993", "current_version": "^11.3.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vitejs/plugin-vue` is patch version(s) behind (^6.0.1 -> 6.0.7)"}, "properties": {"repobilityId": 104687, "scanner": "repobility-dependency-currency", "fingerprint": "c4ad916f50c5699cf2b7570f2145012eb4aa268ddb73248f56389719fbad2f9f", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitejs/plugin-vue", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.7", "correlation_key": "fp|c4ad916f50c5699cf2b7570f2145012eb4aa268ddb73248f56389719fbad2f9f", "current_version": "^6.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@types/adm-zip` is patch version(s) behind (^0.5.7 -> 0.5.8)"}, "properties": {"repobilityId": 104684, "scanner": "repobility-dependency-currency", "fingerprint": "2582609096a1435c4f8e2b5f6db3df545a16f107a740b5a9f0c2ee58ae50a44e", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/adm-zip", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.8", "correlation_key": "fp|2582609096a1435c4f8e2b5f6db3df545a16f107a740b5a9f0c2ee58ae50a44e", "current_version": "^0.5.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `uiohook-napi` is patch version(s) behind (^1.5.4 -> 1.5.5)"}, "properties": {"repobilityId": 104680, "scanner": "repobility-dependency-currency", "fingerprint": "5922330ac6c898e56c2dd6501d9fba80a915db2be60acbf1fc1beca543c15569", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "uiohook-napi", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.5.5", "correlation_key": "fp|5922330ac6c898e56c2dd6501d9fba80a915db2be60acbf1fc1beca543c15569", "current_version": "^1.5.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `turndown` is patch version(s) behind (^7.2.2 -> 7.2.4)"}, "properties": {"repobilityId": 104679, "scanner": "repobility-dependency-currency", "fingerprint": "c13b91d8e1bc4d2d8c0e5040b531915ad094285663d2fd350b20adb117e179c9", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "turndown", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.2.4", "correlation_key": "fp|c13b91d8e1bc4d2d8c0e5040b531915ad094285663d2fd350b20adb117e179c9", "current_version": "^7.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `tar` is patch version(s) behind (^7.5.9 -> 7.5.16)"}, "properties": {"repobilityId": 104678, "scanner": "repobility-dependency-currency", "fingerprint": "7967f6d8ce92a636f20f789b48f484eb5ca3d8e883b9854f334dd1983417ca99", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tar", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.5.16", "correlation_key": "fp|7967f6d8ce92a636f20f789b48f484eb5ca3d8e883b9854f334dd1983417ca99", "current_version": "^7.5.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `electron-log` is patch version(s) behind (^5.4.3 -> 5.4.4)"}, "properties": {"repobilityId": 104673, "scanner": "repobility-dependency-currency", "fingerprint": "1969e677dbc67d53c321413e49d18b188074cd4157018de2d6ae6f069a1e2362", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "electron-log", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.4.4", "correlation_key": "fp|1969e677dbc67d53c321413e49d18b188074cd4157018de2d6ae6f069a1e2362", "current_version": "^5.4.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `adm-zip` is patch version(s) behind (^0.5.16 -> 0.5.17)"}, "properties": {"repobilityId": 104671, "scanner": "repobility-dependency-currency", "fingerprint": "919a4dd68a603d3e4b425af057717981e4a72e849705209b0de8a0cabb0993f3", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "adm-zip", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.17", "correlation_key": "fp|919a4dd68a603d3e4b425af057717981e4a72e849705209b0de8a0cabb0993f3", "current_version": "^0.5.16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2wj-q39q-566r", "level": "error", "message": {"text": "vite: GHSA-v2wj-q39q-566r"}, "properties": {"repobilityId": 104793, "scanner": "osv-scanner", "fingerprint": "68a0844d20f136d615ab0960bcb9f017c7f8e1b97ee41d092d4cde292e2641fe", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39364"], "package": "vite", "rule_id": "GHSA-v2wj-q39q-566r", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39364|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p9ff-h696-f583", "level": "error", "message": {"text": "vite: GHSA-p9ff-h696-f583"}, "properties": {"repobilityId": 104792, "scanner": "osv-scanner", "fingerprint": "e4e3f54a4dc9146916e0304c9d50318b9ef24b5c1473da2baafc759d95054cac", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39363"], "package": "vite", "rule_id": "GHSA-p9ff-h696-f583", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39363|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ph9p-34f9-6g65", "level": "error", "message": {"text": "tmp: GHSA-ph9p-34f9-6g65"}, "properties": {"repobilityId": 104789, "scanner": "osv-scanner", "fingerprint": "85237a582679ce02ed5374b4c960bb9330e68d29c31080114a7ec45740887db3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44705"], "package": "tmp", "rule_id": "GHSA-ph9p-34f9-6g65", "scanner": "osv-scanner", "correlation_key": "vuln|tmp|CVE-2026-44705|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r6q2-hw4h-h46w", "level": "error", "message": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "properties": {"repobilityId": 104788, "scanner": "osv-scanner", "fingerprint": "a506cfec32bc23a52abb3358a13699dbb757b022e3c233283203353a8826b593", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23950"], "package": "tar", "rule_id": "GHSA-r6q2-hw4h-h46w", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23950|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qffp-2rhf-9h96", "level": "error", "message": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "properties": {"repobilityId": 104787, "scanner": "osv-scanner", "fingerprint": "f8fa987aa9acadbb491ed96885533ab55d2a0afc9f4623918e86fa3756ca851f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-29786"], "package": "tar", "rule_id": "GHSA-qffp-2rhf-9h96", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-29786|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9ppj-qmqm-q256", "level": "error", "message": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "properties": {"repobilityId": 104786, "scanner": "osv-scanner", "fingerprint": "69b2c0b2d95567c9d3ec0e13212c39d24902dceb82922feb24047ba7dfb846b6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-31802"], "package": "tar", "rule_id": "GHSA-9ppj-qmqm-q256", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-31802|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8qq5-rm4j-mr97", "level": "error", "message": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "properties": {"repobilityId": 104785, "scanner": "osv-scanner", "fingerprint": "4f89d9b810881688457b80c49ab868f006943a84374041c9ede83f89d8996e2f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23745"], "package": "tar", "rule_id": "GHSA-8qq5-rm4j-mr97", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23745|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-83g3-92jg-28cx", "level": "error", "message": {"text": "tar: GHSA-83g3-92jg-28cx"}, "properties": {"repobilityId": 104784, "scanner": "osv-scanner", "fingerprint": "f024e3a8dade0f899aad4e013def341d786ed8b27d0ff31b6c56f7767e17e900", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26960"], "package": "tar", "rule_id": "GHSA-83g3-92jg-28cx", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-26960|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-34x7-hfp2-rc4v", "level": "error", "message": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "properties": {"repobilityId": 104783, "scanner": "osv-scanner", "fingerprint": "b6245b99f855ef4f5327cea1040dc6abd2e19916475c6aa3696f274c7c921329", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24842"], "package": "tar", "rule_id": "GHSA-34x7-hfp2-rc4v", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-24842|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mw96-cpmx-2vgc", "level": "error", "message": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "properties": {"repobilityId": 104782, "scanner": "osv-scanner", "fingerprint": "0425e8b734fe5759a8789ed8ef46f76963f44ca5145876702e82443bdd19a5ab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27606"], "package": "rollup", "rule_id": "GHSA-mw96-cpmx-2vgc", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2026-27606|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 104780, "scanner": "osv-scanner", "fingerprint": "a3dd2390244022d96de63689cdd673fb906d1165f495d6a42a0980e956db632d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 104778, "scanner": "osv-scanner", "fingerprint": "c3482c8b051b710219b686b962c8edfcc83babb0e1e54a2b470ae7782dd0b574", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 104777, "scanner": "osv-scanner", "fingerprint": "2fd5e24a94dfd2116cfc5d9aeb4e4f584669c9b76d1795010331a7b69b3682a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 104776, "scanner": "osv-scanner", "fingerprint": "af7663e4c51288986bfb4927d06e33aa650fed364bb14d31804c3d4da5638193", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 104774, "scanner": "osv-scanner", "fingerprint": "853deeac541f0dc49600a5a4216f851e15bffd93ce8be267a82d13637ceb9e7d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rf6f-7fwh-wjgh", "level": "error", "message": {"text": "flatted: GHSA-rf6f-7fwh-wjgh"}, "properties": {"repobilityId": 104771, "scanner": "osv-scanner", "fingerprint": "bb0508d8b81791b93a087ab900f213d85cb4d8a9469875be9a0c401a10ba6490", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33228"], "package": "flatted", "rule_id": "GHSA-rf6f-7fwh-wjgh", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-33228|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-25h7-pfq9-p65f", "level": "error", "message": {"text": "flatted: GHSA-25h7-pfq9-p65f"}, "properties": {"repobilityId": 104770, "scanner": "osv-scanner", "fingerprint": "68dd2c69540d2eac4711f2087ccd7176bb1037726ae0451ddfe3dcae14fc6d75", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-32141"], "package": "flatted", "rule_id": "GHSA-25h7-pfq9-p65f", "scanner": "osv-scanner", "correlation_key": "vuln|flatted|CVE-2026-32141|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8gc5-j5rx-235r", "level": "error", "message": {"text": "fast-xml-parser: GHSA-8gc5-j5rx-235r"}, "properties": {"repobilityId": 104765, "scanner": "osv-scanner", "fingerprint": "b98108478d87351d5dbad95b8011fa0339688e7d60bb1041d7f7381fffd10707", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33036"], "package": "fast-xml-parser", "rule_id": "GHSA-8gc5-j5rx-235r", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-26278|pnpm-lock.yaml", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-8gc5-j5rx-235r", "GHSA-jmr7-xgp7-cmfj"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["4f434800ae6dd79184330958e8997d2c750ee9a89dfa1b34dfc89541eb93c10a", "b98108478d87351d5dbad95b8011fa0339688e7d60bb1041d7f7381fffd10707"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x6wf-f3px-wcqx", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx"}, "properties": {"repobilityId": 104761, "scanner": "osv-scanner", "fingerprint": "c0f892c139bfd4e3348f362e745baf38b56e6953910dde5f826a86b96dc17653", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41675"], "package": "@xmldom/xmldom", "rule_id": "GHSA-x6wf-f3px-wcqx", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41675|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wh4c-j3r5-mjhp", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-wh4c-j3r5-mjhp"}, "properties": {"repobilityId": 104760, "scanner": "osv-scanner", "fingerprint": "db94dcf07b884daf08ec926465070f7f756d1520f6dc5cc08d6c7aecc02215c2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34601"], "package": "@xmldom/xmldom", "rule_id": "GHSA-wh4c-j3r5-mjhp", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-34601|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j759-j44w-7fr8", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-j759-j44w-7fr8"}, "properties": {"repobilityId": 104759, "scanner": "osv-scanner", "fingerprint": "adbf58756e7176987a86c9d633b6754fa7e991a96c1763554be2ed2b350b3ff6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41672"], "package": "@xmldom/xmldom", "rule_id": "GHSA-j759-j44w-7fr8", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41672|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f6ww-3ggp-fr8h", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h"}, "properties": {"repobilityId": 104758, "scanner": "osv-scanner", "fingerprint": "a8991a924dfa5b75da05017304e4acd96f5d5b83ea10960fc2ad6db74c9a17c8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41674"], "package": "@xmldom/xmldom", "rule_id": "GHSA-f6ww-3ggp-fr8h", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41674|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2v35-w6hq-6mfw", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw"}, "properties": {"repobilityId": 104757, "scanner": "osv-scanner", "fingerprint": "611a284af499c2f75b689db4a9cf087c74833ffac8b9963a5d0d14fbde1eedee", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41673"], "package": "@xmldom/xmldom", "rule_id": "GHSA-2v35-w6hq-6mfw", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41673|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7h2j-956f-4vf2", "level": "error", "message": {"text": "@isaacs/brace-expansion: GHSA-7h2j-956f-4vf2"}, "properties": {"repobilityId": 104755, "scanner": "osv-scanner", "fingerprint": "63eb410576f22db1a0dd24583d6ca991f153d5945b295fb1267361a0daa04b57", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25547"], "package": "@isaacs/brace-expansion", "rule_id": "GHSA-7h2j-956f-4vf2", "scanner": "osv-scanner", "correlation_key": "vuln|isaacs/brace-expansion|CVE-2026-25547|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p9ff-h696-f583", "level": "error", "message": {"text": "vite: GHSA-p9ff-h696-f583"}, "properties": {"repobilityId": 104754, "scanner": "osv-scanner", "fingerprint": "c85641edd26eb347a89071d7122750f1ef9bc977bb494cfa90a75c986bf99a70", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39363"], "package": "vite", "rule_id": "GHSA-p9ff-h696-f583", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39363|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mw96-cpmx-2vgc", "level": "error", "message": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "properties": {"repobilityId": 104752, "scanner": "osv-scanner", "fingerprint": "834566052f4b6337595a2eb597775030a83fa90f9dde8e10b6d4f25bf4a955af", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27606"], "package": "rollup", "rule_id": "GHSA-mw96-cpmx-2vgc", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2026-27606|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 104750, "scanner": "osv-scanner", "fingerprint": "05f9f63d985f8f2f2b4c260e7d4a65b1af85a2198d5de9ac17cd457a2d1587fd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 104748, "scanner": "osv-scanner", "fingerprint": "75d3b012cedd2afbd46aad692af10c4644dc7445a0f488beb9fb29bfc970b8d9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 104747, "scanner": "osv-scanner", "fingerprint": "a1c795ff51ab57bb81ee2b8b09baa152676301c1b21d384e8fa52af24aaf11d3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 104746, "scanner": "osv-scanner", "fingerprint": "7730ac95740aa4c41a80b6a9ada5cbea55083add8f0aaf4c26981ac70433a5ec", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-737v-mqg7-c878", "level": "error", "message": {"text": "defu: GHSA-737v-mqg7-c878"}, "properties": {"repobilityId": 104745, "scanner": "osv-scanner", "fingerprint": "0388a5d71ce23c404c5ee754a7651adb1badc9231dfdd7219bbfaa05bdaca722", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-35209"], "package": "defu", "rule_id": "GHSA-737v-mqg7-c878", "scanner": "osv-scanner", "correlation_key": "vuln|defu|CVE-2026-35209|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 104742, "scanner": "repobility-threat-engine", "fingerprint": "c61b91bad8f33377c1c98020ec6987d0bb364cc8ff9eac4fc65c0dafb542e3c5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c61b91bad8f33377c1c98020ec6987d0bb364cc8ff9eac4fc65c0dafb542e3c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/utils/registrySync.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 104740, "scanner": "repobility-threat-engine", "fingerprint": "e2d36d21d48a2776fbdc5547abf28e1641e4f5f167ed3f8acb170463c05461cd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'access-control-allow-origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e2d36d21d48a2776fbdc5547abf28e1641e4f5f167ed3f8acb170463c05461cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/iconProtocol.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 104739, "scanner": "repobility-threat-engine", "fingerprint": "6491c5bc9cb601ae737867f918975e73e959b19e6ad4fe7db36bdbdb71702840", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6491c5bc9cb601ae737867f918975e73e959b19e6ad4fe7db36bdbdb71702840"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/httpServer.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 104724, "scanner": "repobility-threat-engine", "fingerprint": "52bc0c8965acc1f5519d43b96b2a68af54d8987663e0dd9f0c69afb1e7836bde", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.allKeysReleasedWaiters.delete(wrappedResolve)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|52bc0c8965acc1f5519d43b96b2a68af54d8987663e0dd9f0c69afb1e7836bde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/doubleTapManager.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 104723, "scanner": "repobility-threat-engine", "fingerprint": "fccb2227a08258e776e4dc08b42c08c54d42ecf5e611fdf8fb574c677cf7954b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.registeredTools.delete(webContents.id)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fccb2227a08258e776e4dc08b42c08c54d42ecf5e611fdf8fb574c677cf7954b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/api/plugin/tools.ts"}, "region": {"startLine": 247}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 104722, "scanner": "repobility-threat-engine", "fingerprint": "d115bb0615548110eb6104f2db19c7dd849180338b10d776ca9c04d8246ae818", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.pluginHeaders.delete(runtimeNamespace)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d115bb0615548110eb6104f2db19c7dd849180338b10d776ca9c04d8246ae818"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/api/plugin/http.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 104721, "scanner": "repobility-threat-engine", "fingerprint": "3e897fccf0cd167c6217e129fa974f303b2b71b4488eb36de6f3182dca2f8aab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e897fccf0cd167c6217e129fa974f303b2b71b4488eb36de6f3182dca2f8aab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/api/shared/imageAnalysis.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 104720, "scanner": "repobility-threat-engine", "fingerprint": "9f53799450cc696afe9ca958cb7928b6fa43c7bea8bab127c9039c9c3e17851a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f53799450cc696afe9ca958cb7928b6fa43c7bea8bab127c9039c9c3e17851a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/api/plugin/device.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 104718, "scanner": "repobility-threat-engine", "fingerprint": "9de9504c30cd5bbf6616c52bf19e2728c9ff609f201d754329e709f01f5d8f2d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9de9504c30cd5bbf6616c52bf19e2728c9ff609f201d754329e709f01f5d8f2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/api/plugin/clipboard.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 104717, "scanner": "repobility-threat-engine", "fingerprint": "df4aa5b38e66a1a797e8ea4dbeb7a5fd7ec5a64a327be6fd1e9b982be2a446d2", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|df4aa5b38e66a1a797e8ea4dbeb7a5fd7ec5a64a327be6fd1e9b982be2a446d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/version-utils.mjs"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 104716, "scanner": "repobility-threat-engine", "fingerprint": "a8f8f70ee43c6c19de8385269e00c4c664e4c81eebbd1cfc49d46a8fe3f43975", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a8f8f70ee43c6c19de8385269e00c4c664e4c81eebbd1cfc49d46a8fe3f43975"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/updater.mjs"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 104714, "scanner": "repobility-threat-engine", "fingerprint": "a1e839481f363be822b1681515d0ed6101d886a3d46fd8f643eb5cdffa019728", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a1e839481f363be822b1681515d0ed6101d886a3d46fd8f643eb5cdffa019728"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/core/commandScanner/macScanner.ts"}, "region": {"startLine": 176}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 104713, "scanner": "repobility-threat-engine", "fingerprint": "19ad16fad4585fe30528a38e43924b9349a7d11904a31ea8c7ef3a9d5a074ae5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|19ad16fad4585fe30528a38e43924b9349a7d11904a31ea8c7ef3a9d5a074ae5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/version-utils.mjs"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 104712, "scanner": "repobility-threat-engine", "fingerprint": "f6da3f3b4b58c3c8ae40791a1ad7a5d0e1559bca5f095d66cdccf9f331533799", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(hex", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f6da3f3b4b58c3c8ae40791a1ad7a5d0e1559bca5f095d66cdccf9f331533799"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal-plugins/setting/src/utils/themeUtils.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `updater/win-amd64/ztools-agent.exe` committed in source repo"}, "properties": {"repobilityId": 104669, "scanner": "repobility-supply-chain", "fingerprint": "760168968dbbf9c5629898a69ee69ad82919b8977a054fa99a62867d98c14472", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|760168968dbbf9c5629898a69ee69ad82919b8977a054fa99a62867d98c14472"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "updater/win-amd64/ztools-agent.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 104668, "scanner": "repobility-supply-chain", "fingerprint": "9a9335387e6a368ce88d7882f3631e7bcec75efa8acf9fa3a401d7ad23852b7d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a9335387e6a368ce88d7882f3631e7bcec75efa8acf9fa3a401d7ad23852b7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104667, "scanner": "repobility-supply-chain", "fingerprint": "e30bc53d255c801b16dfc8383011aab515a2cb40bd95d77df2dd5d476659e8d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e30bc53d255c801b16dfc8383011aab515a2cb40bd95d77df2dd5d476659e8d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104666, "scanner": "repobility-supply-chain", "fingerprint": "183e99de6dd2a60f27846b11d32ac4de448672647971079ee325d81fd7c7d714", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|183e99de6dd2a60f27846b11d32ac4de448672647971079ee325d81fd7c7d714"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104665, "scanner": "repobility-supply-chain", "fingerprint": "5d618eb5379c28b48603244586cab02afec5723ebf417b8dd9825c2fc2dc6ca8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d618eb5379c28b48603244586cab02afec5723ebf417b8dd9825c2fc2dc6ca8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104664, "scanner": "repobility-supply-chain", "fingerprint": "99568f9e7fefa420986a6127332ba6af8784a57f4149b79f22f517f15ff890a2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99568f9e7fefa420986a6127332ba6af8784a57f4149b79f22f517f15ff890a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 104663, "scanner": "repobility-supply-chain", "fingerprint": "50505c65bb9e0c5c320b00f3acad75bd2591b154aec060d7e584ccd07fd612ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50505c65bb9e0c5c320b00f3acad75bd2591b154aec060d7e584ccd07fd612ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104662, "scanner": "repobility-supply-chain", "fingerprint": "10985ca9be9e92ab73bee35180952e9e950a4a8a3dc8ddff03737e203db6a4d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10985ca9be9e92ab73bee35180952e9e950a4a8a3dc8ddff03737e203db6a4d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104661, "scanner": "repobility-supply-chain", "fingerprint": "8c149161a81f15767b0f174bcbc6d41c91b5afaccad0f68ae4f8f9cd7155a332", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c149161a81f15767b0f174bcbc6d41c91b5afaccad0f68ae4f8f9cd7155a332"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104660, "scanner": "repobility-supply-chain", "fingerprint": "c11188883fc935b9a2f48e4e081ecbddcbfeed9fea30b7f7534c639cb114d48f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c11188883fc935b9a2f48e4e081ecbddcbfeed9fea30b7f7534c639cb114d48f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 104659, "scanner": "repobility-supply-chain", "fingerprint": "4a6651c2f3452f75a3a9afc2c1a719a1adae6da0d500ab2142503112f771bf94", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4a6651c2f3452f75a3a9afc2c1a719a1adae6da0d500ab2142503112f771bf94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 104658, "scanner": "repobility-supply-chain", "fingerprint": "fa68aa5497f70363d40ec96ee03227aaace0635873115a19ecd83af65823fc4c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa68aa5497f70363d40ec96ee03227aaace0635873115a19ecd83af65823fc4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 104657, "scanner": "repobility-supply-chain", "fingerprint": "1bb9fc5cd150bcf0d7fe6b4b1c607011ea0e205912381768a05f917d6c78798b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1bb9fc5cd150bcf0d7fe6b4b1c607011ea0e205912381768a05f917d6c78798b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "GHSA-5xrq-8626-4rwp", "level": "error", "message": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "properties": {"repobilityId": 104794, "scanner": "osv-scanner", "fingerprint": "0806fec4420135fab4b0c94dfe4a59c4faf5e0da4ecef5e379ff15a3f669b383", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47429"], "package": "vitest", "rule_id": "GHSA-5xrq-8626-4rwp", "scanner": "osv-scanner", "correlation_key": "vuln|vitest|CVE-2026-47429|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m7jm-9gc2-mpf2", "level": "error", "message": {"text": "fast-xml-parser: GHSA-m7jm-9gc2-mpf2"}, "properties": {"repobilityId": 104769, "scanner": "osv-scanner", "fingerprint": "db7f5f593c3bbed98a3a8dce2d9856dbd244753df9302fd82faea9143a830ac4", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25896"], "package": "fast-xml-parser", "rule_id": "GHSA-m7jm-9gc2-mpf2", "scanner": "osv-scanner", "correlation_key": "vuln|fast-xml-parser|CVE-2026-25896|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}]}]}