diff --git a/crates/runx-cli/src/official_skills.rs b/crates/runx-cli/src/official_skills.rs index 8469e4b0..0f637c2d 100644 --- a/crates/runx-cli/src/official_skills.rs +++ b/crates/runx-cli/src/official_skills.rs @@ -40,6 +40,11 @@ pub(crate) const OFFICIAL_SKILLS: &[OfficialSkillLockEntry] = &[ version: "sha-c2d071df7f50", digest: "08cefe802c15e5be7d32ae9a363a6c42168e86f7fab92890e5ce5c994af367c9", }, + OfficialSkillLockEntry { + skill_id: "runx/dependency-advisory-graph", + version: "sha-c7a7970abd3e", + digest: "319e63c0c7e1d250723f0ed49a6c1c5a913b9e489304ac429d8b640083d4526f", + }, OfficialSkillLockEntry { skill_id: "runx/dependency-cve-audit", version: "sha-6db720882ba0", diff --git a/packages/cli/src/official-skills.lock.json b/packages/cli/src/official-skills.lock.json index 5ce7c23e..6f09f8b0 100644 --- a/packages/cli/src/official-skills.lock.json +++ b/packages/cli/src/official-skills.lock.json @@ -41,6 +41,13 @@ "catalog_visibility": "public", "catalog_role": "context" }, + { + "skill_id": "runx/dependency-advisory-graph", + "version": "sha-c7a7970abd3e", + "digest": "319e63c0c7e1d250723f0ed49a6c1c5a913b9e489304ac429d8b640083d4526f", + "catalog_visibility": "public", + "catalog_role": "canonical" + }, { "skill_id": "runx/dependency-cve-audit", "version": "sha-6db720882ba0", diff --git a/skills/dependency-advisory-graph/SKILL.md b/skills/dependency-advisory-graph/SKILL.md new file mode 100644 index 00000000..d51e58ea --- /dev/null +++ b/skills/dependency-advisory-graph/SKILL.md @@ -0,0 +1,209 @@ +--- +name: dependency-advisory-graph +description: Build an exact-version dependency advisory graph by scanning a real project lockfile and querying OSV advisories. +source: + type: cli-tool + command: node + args: + - run.mjs + timeout_seconds: 30 + sandbox: + profile: readonly + cwd_policy: skill-directory +inputs: + lockfile: + type: json + required: false + description: npm package-lock JSON object for the target project. + lockfile_path: + type: string + required: false + description: Path inside the skill package to a real target package-lock.json. + lockfile_url: + type: string + required: false + description: Public URL to a target package-lock.json, fetched at run time. + osv_response: + type: json + required: false + description: Optional OSV querybatch response for offline harness fixtures. + osv_response_path: + type: string + required: false + description: Optional path inside the skill package to an OSV querybatch fixture. + ecosystem: + type: string + required: false + description: Dependency ecosystem label. Defaults to npm. + project_name: + type: string + required: false + description: Name of the target project being scanned. + project_url: + type: string + required: false + description: Public URL of the target project being scanned. +runx: + category: security +--- + +## What this skill does + +This skill builds a checkable dependency advisory graph for one real dependency +lockfile. It parses installed package versions from an npm `package-lock.json`, +queries OSV for those exact package/version pairs at run time, and returns a +graph-shaped JSON packet that separates confirmed advisory matches from clean or +unknown packages. + +The runner is intentionally conservative. It requires installed versions from a +lockfile, uses OSV `querybatch` with exact package versions, never reports a +package-name-only finding, and emits a direct dependency fix path for each +finding so the operator can see which top-level dependency to bump. + +## When to use this skill + +Use this skill when an agent needs a reproducible dependency advisory packet for +a public project, security handoff, Frantic delivery, runx receipt, or review +fixture where the target project has a dependency lockfile. It is appropriate +when the caller needs exact-version proof fields such as `package`, +`installed_version`, `advisory_id`, `evidence_url`, `advisory_source`, +`retrieved_at`, `severity`, `fix_version`, `direct_dependency_to_bump`, +`fix_path`, and `confidence`. + +Use it to turn a real package-lock plus live OSV advisory data into evidence +JSON, verification JSON, and a concise Markdown report. The output can support +later upgrade planning, receipt review, or human triage, but it is not by itself +an authority to publish an advisory or mutate a target repository. + +## When not to use this skill + +Do not use this skill as a package installer, exploitability assessment, full +application security review, SBOM generator, or automated remediation tool. Do +not use it for private manifests unless the package names, installed versions, +and advisory facts have an explicit disclosure grant. + +Do not treat a zero-finding packet as proof that the project is vulnerability +free. It only means OSV returned no vulnerability for the exact package versions +found in this lockfile. If the lockfile is missing installed versions, return +`needs_input` or stop instead of guessing from broad semver declarations. + +## Procedure + +1. Read `lockfile`, `lockfile_path`, or `lockfile_url`, optional `ecosystem`, and optional + `project_name` / `project_url`. +2. Parse installed package names and exact installed versions from npm + `package-lock.json`. +3. Identify whether each vulnerable package is a direct dependency or which + direct dependency owns its dependency path. +4. Query OSV `querybatch` for each package/version pair. Harness fixtures may + pass `osv_response` or `osv_response_path` so tests remain deterministic. +5. Emit a finding only when OSV returns a vulnerability for the exact package and + installed version queried. +6. Emit `direct_dependency_to_bump` and `fix_path` for each finding. +7. Build graph nodes for scanned packages and matched advisories. +8. Write `evidence.json`, `verification.json`, and `report.md` when + `output_dir` is provided. + +## Edge cases and stop conditions + +Return `needs_input` or stop when the caller omits `lockfile`, `lockfile_path`, +and `lockfile_url`. Stop when the lockfile is not valid JSON-like data, when it +does not contain npm `packages` or `dependencies`, or when OSV cannot be queried +and no explicit `osv_response` fixture was supplied. + +Return `needs_more_evidence` when a finding would rely only on package name, +when OSV lacks a stable evidence URL, or when the caller cannot show the +authority or scope grant for publishing the result. Return `refused` when asked +to install packages, execute application code, read private repositories without +approval, submit a vulnerability report, or mutate a repository. + +For `output_dir`, the resolved path must stay inside the skill directory. This +keeps artifacts bounded to the package and prevents accidental writes outside +the current receipt proof surface. + +## Output schema + +The primary output is `runx.dependency_advisory_graph.v2`: + +```json +{ + "schema": "runx.dependency_advisory_graph.v2", + "ecosystem": "npm", + "project": { + "name": "fixture-vulnerable-app", + "url": "https://example.com/fixture-vulnerable-app", + "lockfile_source": "fixtures/package-lock-advisory.json", + "lockfile_path": "fixtures/package-lock-advisory.json", + "lockfile_url": null + }, + "package": "minimist", + "installed_version": "0.0.8", + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-23T00:00:00.000Z", + "severity": "critical", + "fix_version": "0.2.1", + "fix_path": "Bump minimist so minimist@0.0.8 is replaced by a non-vulnerable version; OSV first fixed version: 0.2.1.", + "direct_dependency_to_bump": "minimist", + "confidence": "high", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after package name matched and installed_version matched the advisory version evidence.", + "findings": [], + "clean_packages": [], + "graph": { + "nodes": [], + "edges": [] + }, + "false_positive_guards": [], + "validation": { + "exact_version_match": true, + "no_package_name_only_false_positives": true, + "package_name_only_guard_count": 0, + "target_lockfile_ingested": true, + "target_code_executed": true, + "target_code_execution_note": "The scanner executed against and parsed the target project's dependency lockfile; it did not run application code.", + "target_packages_installed": false, + "osv_runtime_query_performed": true, + "advisory_source_mode": "live_osv_querybatch", + "direct_dependency_fix_paths_count": 1 + } +} +``` + +When `output_dir` is provided, the runner also writes `evidence.json`, +`verification.json`, and `report.md` inside that directory. + +## Worked example + +Run the skill against a real npm `package-lock.json` and OSV: + +```bash +runx skill ./skills/dependency-advisory-graph \ + --input ecosystem=npm \ + --input project_name=fixture-vulnerable-app \ + --input project_url=https://example.com/fixture-vulnerable-app \ + --input lockfile_path=fixtures/package-lock-advisory.json \ + --input output_dir=artifacts/sealed-advisory-minimist-008 \ + --json +``` + +The receipt should include a high-confidence finding for `minimist@0.0.8`, +graph edges from the dependency node to the advisory node, `osv_runtime_query` +evidence, and a fix path naming `minimist` as the direct dependency to bump. + +## Inputs + +- `lockfile`: JSON object containing an npm `package-lock.json`. +- `lockfile_path`: path inside the skill package to an npm `package-lock.json`. +- `lockfile_url`: public URL to an npm `package-lock.json`, fetched at run + time. This is the preferred dogfood path for public projects because it proves + the skill scanned a real target lockfile. +- `osv_response`: optional OSV `querybatch` response used only for deterministic + offline harness fixtures. +- `osv_response_path`: path inside the skill package to an OSV fixture response. +- `ecosystem`: optional ecosystem label. Defaults to `npm`. +- `project_name`: optional target project name. +- `project_url`: optional public target project URL. +- `output_dir`: optional directory inside the skill package for generated + artifacts. diff --git a/skills/dependency-advisory-graph/X.yaml b/skills/dependency-advisory-graph/X.yaml new file mode 100644 index 00000000..89ccf856 --- /dev/null +++ b/skills/dependency-advisory-graph/X.yaml @@ -0,0 +1,136 @@ +skill: dependency-advisory-graph +version: "0.2.0" + +catalog: + kind: skill + audience: public + visibility: public + role: canonical + +harness: + cases: + - name: sealed-advisory-minimist-008 + runner: default + inputs: + ecosystem: npm + project_name: fixture/minimist-direct + project_url: https://example.com/fixtures/minimist-direct + lockfile: + name: fixture-vulnerable-app + version: 1.0.0 + lockfileVersion: 3 + requires: true + packages: + "": + name: fixture-vulnerable-app + version: 1.0.0 + dependencies: + minimist: 0.0.8 + left-pad: 1.3.0 + node_modules/minimist: + version: 0.0.8 + resolved: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz + integrity: sha512-fixture + node_modules/left-pad: + version: 1.3.0 + resolved: https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz + integrity: sha512-fixture + osv_response: + retrieved_at: "2026-06-24T00:00:00.000Z" + source: + name: OSV querybatch fixture + url: https://api.osv.dev/v1/querybatch + retrieved_at: "2026-06-24T00:00:00.000Z" + results: + - vulns: + - id: GHSA-vh95-rmgr-6w4m + aliases: + - CVE-2020-7598 + summary: minimist prototype pollution + modified: "2026-06-24T00:00:00.000Z" + database_specific: + severity: CRITICAL + affected: + - package: + ecosystem: npm + name: minimist + ranges: + - type: SEMVER + events: + - introduced: "0" + - fixed: 0.2.1 + versions: + - 0.0.8 + references: + - type: ADVISORY + url: https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m + - vulns: [] + output_dir: artifacts/sealed-advisory-minimist-008 + expect: + status: sealed + receipt: + schema: runx.receipt.v1 + - name: invalid-manifest-fails + runner: default + inputs: + ecosystem: npm + lockfile: {} + osv_response: + results: [] + expect: + status: failure + receipt: + schema: runx.receipt.v1 + state: sealed + disposition: failed + reason_code: process_failed + +runners: + default: + default: true + type: cli-tool + command: node + args: + - run.mjs + inputs: + lockfile: + type: json + required: false + description: npm package-lock JSON object for the target project. + lockfile_path: + type: string + required: false + description: Path inside the skill package to a real target package-lock.json. + lockfile_url: + type: string + required: false + description: Public URL to a target package-lock.json, fetched at run time. + osv_response: + type: json + required: false + description: Optional OSV querybatch response for offline harness fixtures. + osv_response_path: + type: string + required: false + description: Optional path inside the skill package to an OSV querybatch fixture. + ecosystem: + type: string + required: false + description: Dependency ecosystem label. Defaults to npm. + project_name: + type: string + required: false + description: Name of the target project being scanned. + project_url: + type: string + required: false + description: Public URL of the target project being scanned. + output_dir: + type: string + required: false + description: Directory inside the skill directory for evidence.json, verification.json, and report.md. + outputs: + dependency_advisory_graph: object + evidence_json: object + verification_json: object + report_md: string diff --git a/skills/dependency-advisory-graph/artifacts/clean-manifest-no-finding/evidence.json b/skills/dependency-advisory-graph/artifacts/clean-manifest-no-finding/evidence.json new file mode 100644 index 00000000..440123a1 --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/clean-manifest-no-finding/evidence.json @@ -0,0 +1,103 @@ +{ + "schema": "runx.dependency_advisory_graph.v2", + "ecosystem": "npm", + "project": { + "name": "fixture-clean-app", + "url": "https://example.com/fixture-clean-app", + "lockfile_source": "fixtures/package-lock-clean.json", + "lockfile_path": "fixtures/package-lock-clean.json", + "lockfile_url": null + }, + "package": "minimist", + "installed_version": "1.2.7", + "advisory_id": "none", + "evidence_url": null, + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:00:00.000Z", + "severity": "none", + "fix_version": null, + "fix_path": null, + "direct_dependency_to_bump": null, + "confidence": "high", + "exact_version_match": true, + "findings": [], + "clean_packages": [ + { + "package": "minimist", + "installed_version": "1.2.7", + "path": "node_modules/minimist", + "direct": true, + "direct_dependency_to_bump": "minimist", + "dependency_path": [ + "minimist" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "left-pad", + "installed_version": "1.3.0", + "path": "node_modules/left-pad", + "direct": true, + "direct_dependency_to_bump": "left-pad", + "dependency_path": [ + "left-pad" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + } + ], + "graph": { + "nodes": [ + { + "id": "pkg:npm/minimist@1.2.7", + "type": "dependency", + "package": "minimist", + "installed_version": "1.2.7", + "direct_dependency_to_bump": "minimist", + "dependency_path": [ + "minimist" + ] + }, + { + "id": "pkg:npm/left-pad@1.3.0", + "type": "dependency", + "package": "left-pad", + "installed_version": "1.3.0", + "direct_dependency_to_bump": "left-pad", + "dependency_path": [ + "left-pad" + ] + } + ], + "edges": [] + }, + "false_positive_guards": [ + { + "package": "minimist", + "installed_version": "1.2.7", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "left-pad", + "installed_version": "1.3.0", + "guard": "OSV returned no vulnerability for this exact package and installed version." + } + ], + "validation": { + "exact_version_match": true, + "no_package_name_only_false_positives": true, + "package_name_only_guard_count": 2, + "target_lockfile_ingested": true, + "target_code_executed": true, + "target_code_execution_note": "The scanner executed against and parsed the target project's dependency lockfile; it did not run application code.", + "target_packages_installed": false, + "osv_runtime_query_performed": false, + "advisory_source_mode": "osv_fixture_response", + "direct_dependency_fix_paths_count": 0 + }, + "operator_next_steps": [ + "Keep this lockfile under routine dependency monitoring.", + "Re-run this skill when dependencies change or a new OSV advisory appears." + ] +} diff --git a/skills/dependency-advisory-graph/artifacts/clean-manifest-no-finding/report.md b/skills/dependency-advisory-graph/artifacts/clean-manifest-no-finding/report.md new file mode 100644 index 00000000..0c550f6a --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/clean-manifest-no-finding/report.md @@ -0,0 +1,27 @@ +# Dependency Advisory Graph Report + +Project: fixture-clean-app +Project URL: https://example.com/fixture-clean-app +Lockfile source: fixtures/package-lock-clean.json +Ecosystem: npm +Advisory source: https://api.osv.dev/v1/querybatch +Retrieved at: 2026-06-24T00:00:00.000Z + +## Findings + +- No OSV advisory matched the exact installed package versions in this lockfile. + +## Verification + +- typed_output_fields: pass +- real_lockfile_ingested: pass +- osv_advisory_source: pass +- exact_version_match: pass +- direct_dependency_fix_path: pass +- false_positive_guard: pass +- no_target_install_or_app_execution: pass + +## Operator next steps + +- Keep this lockfile under routine dependency monitoring. +- Re-run this skill when dependencies change or a new OSV advisory appears. diff --git a/skills/dependency-advisory-graph/artifacts/clean-manifest-no-finding/verification.json b/skills/dependency-advisory-graph/artifacts/clean-manifest-no-finding/verification.json new file mode 100644 index 00000000..58608aa6 --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/clean-manifest-no-finding/verification.json @@ -0,0 +1,50 @@ +{ + "schema": "runx.dependency_advisory_graph.verification.v2", + "skill": "dependency-advisory-graph", + "project": { + "name": "fixture-clean-app", + "url": "https://example.com/fixture-clean-app", + "lockfile_source": "fixtures/package-lock-clean.json", + "lockfile_path": "fixtures/package-lock-clean.json", + "lockfile_url": null + }, + "checks": [ + { + "id": "typed_output_fields", + "status": "pass" + }, + { + "id": "real_lockfile_ingested", + "status": "pass", + "source": "fixtures/package-lock-clean.json" + }, + { + "id": "osv_advisory_source", + "status": "pass", + "mode": "osv_fixture_response" + }, + { + "id": "exact_version_match", + "status": "pass" + }, + { + "id": "direct_dependency_fix_path", + "status": "pass" + }, + { + "id": "false_positive_guard", + "status": "pass", + "guarded_non_findings": 2 + }, + { + "id": "no_target_install_or_app_execution", + "status": "pass", + "note": "The scanner executed against and parsed the target project's dependency lockfile; it did not run application code." + } + ], + "install_run_verify": [ + "runx --version", + "runx harness ./skills/dependency-advisory-graph --json", + "runx skill ./skills/dependency-advisory-graph --input lockfile_path= --json" + ] +} diff --git a/skills/dependency-advisory-graph/artifacts/dogfood-live-theia-runx-v2c-output.json b/skills/dependency-advisory-graph/artifacts/dogfood-live-theia-runx-v2c-output.json new file mode 100644 index 00000000..4ffa8b7f --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/dogfood-live-theia-runx-v2c-output.json @@ -0,0 +1,4671 @@ +{ + "closure": { + "closed_at": "2026-06-24T00:25:58.380Z", + "disposition": "closed", + "reason_code": "process_closed", + "summary": "cli-tool default completed" + }, + "execution": { + "exit_code": 0, + "skill_claim": { + "advisory_id": "GHSA-f886-m6hf-6m8v", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "clean_packages": [ + { + "confidence": "high", + "dependency_path": [ + "tslint", + "@babel/code-frame" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "7.5.5", + "package": "@babel/code-frame", + "path": "@babel/code-frame" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "@babel/highlight" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "7.5.0", + "package": "@babel/highlight", + "path": "@babel/highlight" + }, + { + "confidence": "high", + "dependency_path": [ + "@types/node" + ], + "direct": true, + "direct_dependency_to_bump": "@types/node", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "12.11.1", + "package": "@types/node", + "path": "@types/node" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "ansi-styles" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "3.2.1", + "package": "ansi-styles", + "path": "ansi-styles" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "argparse" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.10", + "package": "argparse", + "path": "argparse" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "balanced-match" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.0", + "package": "balanced-match", + "path": "balanced-match" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "builtin-modules" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.1.1", + "package": "builtin-modules", + "path": "builtin-modules" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "chalk" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.4.2", + "package": "chalk", + "path": "chalk" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "color-convert" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.9.3", + "package": "color-convert", + "path": "color-convert" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "color-name" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.1.3", + "package": "color-name", + "path": "color-name" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "commander" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.20.3", + "package": "commander", + "path": "commander" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "concat-map" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "0.0.1", + "package": "concat-map", + "path": "concat-map" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "escape-string-regexp" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.5", + "package": "escape-string-regexp", + "path": "escape-string-regexp" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "esprima" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "4.0.1", + "package": "esprima", + "path": "esprima" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "esutils" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.0.3", + "package": "esutils", + "path": "esutils" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "fs.realpath" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.0", + "package": "fs.realpath", + "path": "fs.realpath" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "glob" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "7.1.4", + "package": "glob", + "path": "glob" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "has-flag" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "3.0.0", + "package": "has-flag", + "path": "has-flag" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "inflight" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.6", + "package": "inflight", + "path": "inflight" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "inherits" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.0.4", + "package": "inherits", + "path": "inherits" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "js-tokens" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "4.0.0", + "package": "js-tokens", + "path": "js-tokens" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "mkdirp" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "0.5.1", + "package": "mkdirp", + "path": "mkdirp" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "once" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.4.0", + "package": "once", + "path": "once" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "path-is-absolute" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.1", + "package": "path-is-absolute", + "path": "path-is-absolute" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "resolve" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.12.0", + "package": "resolve", + "path": "resolve" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "sprintf-js" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.3", + "package": "sprintf-js", + "path": "sprintf-js" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "supports-color" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "5.5.0", + "package": "supports-color", + "path": "supports-color" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "tslib" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.10.0", + "package": "tslib", + "path": "tslib" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint" + ], + "direct": true, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "5.20.0", + "package": "tslint", + "path": "tslint" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "tsutils" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.29.0", + "package": "tsutils", + "path": "tsutils" + }, + { + "confidence": "high", + "dependency_path": [ + "typescript" + ], + "direct": true, + "direct_dependency_to_bump": "typescript", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "3.6.4", + "package": "typescript", + "path": "typescript" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "wrappy" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.2", + "package": "wrappy", + "path": "wrappy" + } + ], + "confidence": "high", + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v", + "exact_version_match": true, + "false_positive_guards": [ + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "7.5.5", + "package": "@babel/code-frame" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "7.5.0", + "package": "@babel/highlight" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "12.11.1", + "package": "@types/node" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "3.2.1", + "package": "ansi-styles" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.10", + "package": "argparse" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.0", + "package": "balanced-match" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.1.1", + "package": "builtin-modules" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.4.2", + "package": "chalk" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.9.3", + "package": "color-convert" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.1.3", + "package": "color-name" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.20.3", + "package": "commander" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "0.0.1", + "package": "concat-map" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.5", + "package": "escape-string-regexp" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "4.0.1", + "package": "esprima" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.0.3", + "package": "esutils" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.0", + "package": "fs.realpath" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "7.1.4", + "package": "glob" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "3.0.0", + "package": "has-flag" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.6", + "package": "inflight" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.0.4", + "package": "inherits" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "4.0.0", + "package": "js-tokens" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "0.5.1", + "package": "mkdirp" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.4.0", + "package": "once" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.1", + "package": "path-is-absolute" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.12.0", + "package": "resolve" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.3", + "package": "sprintf-js" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "5.5.0", + "package": "supports-color" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.10.0", + "package": "tslib" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "5.20.0", + "package": "tslint" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.29.0", + "package": "tsutils" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "3.6.4", + "package": "typescript" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.2", + "package": "wrappy" + } + ], + "findings": [ + { + "advisory_id": "GHSA-f886-m6hf-6m8v", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "brace-expansion" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-f886-m6hf-6m8v.", + "fix_version": null, + "installed_version": "1.1.11", + "package": "brace-expansion", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-v6h2-p8h4-qcjw", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "brace-expansion" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-v6h2-p8h4-qcjw", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-v6h2-p8h4-qcjw.", + "fix_version": null, + "installed_version": "1.1.11", + "package": "brace-expansion", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-73rr-hh4g-fpgx", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "diff" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-73rr-hh4g-fpgx", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-73rr-hh4g-fpgx.", + "fix_version": null, + "installed_version": "4.0.1", + "package": "diff", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-h67p-54hq-rp68", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "js-yaml" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-h67p-54hq-rp68", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-h67p-54hq-rp68.", + "fix_version": null, + "installed_version": "3.13.1", + "package": "js-yaml", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-mh29-5h37-fv8m", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "js-yaml" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-mh29-5h37-fv8m", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-mh29-5h37-fv8m.", + "fix_version": null, + "installed_version": "3.13.1", + "package": "js-yaml", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-23c5-xmqv-rm74", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-23c5-xmqv-rm74", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-23c5-xmqv-rm74.", + "fix_version": null, + "installed_version": "3.0.4", + "package": "minimatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-3ppc-4f35-3m26", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-3ppc-4f35-3m26", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-3ppc-4f35-3m26.", + "fix_version": null, + "installed_version": "3.0.4", + "package": "minimatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-7r86-cg39-jmmj", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-7r86-cg39-jmmj", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-7r86-cg39-jmmj.", + "fix_version": null, + "installed_version": "3.0.4", + "package": "minimatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-f8q6-p94x-37v3", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f8q6-p94x-37v3", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-f8q6-p94x-37v3.", + "fix_version": null, + "installed_version": "3.0.4", + "package": "minimatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimist" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-vh95-rmgr-6w4m.", + "fix_version": null, + "installed_version": "0.0.8", + "package": "minimist", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-xvch-5gv4-984h", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimist" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-xvch-5gv4-984h", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-xvch-5gv4-984h.", + "fix_version": null, + "installed_version": "0.0.8", + "package": "minimist", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-hj48-42vr-x3v9", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "path-parse" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-hj48-42vr-x3v9", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-hj48-42vr-x3v9.", + "fix_version": null, + "installed_version": "1.0.6", + "package": "path-parse", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-c2qf-rxjj-qqgw", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "semver" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-c2qf-rxjj-qqgw", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-c2qf-rxjj-qqgw.", + "fix_version": null, + "installed_version": "5.7.1", + "package": "semver", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + } + ], + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-f886-m6hf-6m8v.", + "fix_version": null, + "graph": { + "edges": [ + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v", + "from": "pkg:npm/brace-expansion@1.1.11", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-f886-m6hf-6m8v" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-v6h2-p8h4-qcjw", + "from": "pkg:npm/brace-expansion@1.1.11", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-v6h2-p8h4-qcjw" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-73rr-hh4g-fpgx", + "from": "pkg:npm/diff@4.0.1", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-73rr-hh4g-fpgx" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-h67p-54hq-rp68", + "from": "pkg:npm/js-yaml@3.13.1", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-h67p-54hq-rp68" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-mh29-5h37-fv8m", + "from": "pkg:npm/js-yaml@3.13.1", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-mh29-5h37-fv8m" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-23c5-xmqv-rm74", + "from": "pkg:npm/minimatch@3.0.4", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-23c5-xmqv-rm74" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-3ppc-4f35-3m26", + "from": "pkg:npm/minimatch@3.0.4", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-3ppc-4f35-3m26" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-7r86-cg39-jmmj", + "from": "pkg:npm/minimatch@3.0.4", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-7r86-cg39-jmmj" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f8q6-p94x-37v3", + "from": "pkg:npm/minimatch@3.0.4", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-f8q6-p94x-37v3" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "from": "pkg:npm/minimist@0.0.8", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-vh95-rmgr-6w4m" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-xvch-5gv4-984h", + "from": "pkg:npm/minimist@0.0.8", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-xvch-5gv4-984h" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-hj48-42vr-x3v9", + "from": "pkg:npm/path-parse@1.0.6", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-hj48-42vr-x3v9" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-c2qf-rxjj-qqgw", + "from": "pkg:npm/semver@5.7.1", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-c2qf-rxjj-qqgw" + } + ], + "nodes": [ + { + "dependency_path": [ + "tslint", + "@babel/code-frame" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/@babel/code-frame@7.5.5", + "installed_version": "7.5.5", + "package": "@babel/code-frame", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "@babel/highlight" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/@babel/highlight@7.5.0", + "installed_version": "7.5.0", + "package": "@babel/highlight", + "type": "dependency" + }, + { + "dependency_path": [ + "@types/node" + ], + "direct_dependency_to_bump": "@types/node", + "id": "pkg:npm/@types/node@12.11.1", + "installed_version": "12.11.1", + "package": "@types/node", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "ansi-styles" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/ansi-styles@3.2.1", + "installed_version": "3.2.1", + "package": "ansi-styles", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "argparse" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/argparse@1.0.10", + "installed_version": "1.0.10", + "package": "argparse", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "balanced-match" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/balanced-match@1.0.0", + "installed_version": "1.0.0", + "package": "balanced-match", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "brace-expansion" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/brace-expansion@1.1.11", + "installed_version": "1.1.11", + "package": "brace-expansion", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "builtin-modules" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/builtin-modules@1.1.1", + "installed_version": "1.1.1", + "package": "builtin-modules", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "chalk" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/chalk@2.4.2", + "installed_version": "2.4.2", + "package": "chalk", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "color-convert" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/color-convert@1.9.3", + "installed_version": "1.9.3", + "package": "color-convert", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "color-name" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/color-name@1.1.3", + "installed_version": "1.1.3", + "package": "color-name", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "commander" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/commander@2.20.3", + "installed_version": "2.20.3", + "package": "commander", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "concat-map" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/concat-map@0.0.1", + "installed_version": "0.0.1", + "package": "concat-map", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "diff" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/diff@4.0.1", + "installed_version": "4.0.1", + "package": "diff", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "escape-string-regexp" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/escape-string-regexp@1.0.5", + "installed_version": "1.0.5", + "package": "escape-string-regexp", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "esprima" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/esprima@4.0.1", + "installed_version": "4.0.1", + "package": "esprima", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "esutils" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/esutils@2.0.3", + "installed_version": "2.0.3", + "package": "esutils", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "fs.realpath" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/fs.realpath@1.0.0", + "installed_version": "1.0.0", + "package": "fs.realpath", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "glob" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/glob@7.1.4", + "installed_version": "7.1.4", + "package": "glob", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "has-flag" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/has-flag@3.0.0", + "installed_version": "3.0.0", + "package": "has-flag", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "inflight" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/inflight@1.0.6", + "installed_version": "1.0.6", + "package": "inflight", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "inherits" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/inherits@2.0.4", + "installed_version": "2.0.4", + "package": "inherits", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "js-tokens" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/js-tokens@4.0.0", + "installed_version": "4.0.0", + "package": "js-tokens", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "js-yaml" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/js-yaml@3.13.1", + "installed_version": "3.13.1", + "package": "js-yaml", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/minimatch@3.0.4", + "installed_version": "3.0.4", + "package": "minimatch", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "minimist" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/minimist@0.0.8", + "installed_version": "0.0.8", + "package": "minimist", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "mkdirp" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/mkdirp@0.5.1", + "installed_version": "0.5.1", + "package": "mkdirp", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "once" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/once@1.4.0", + "installed_version": "1.4.0", + "package": "once", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "path-is-absolute" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/path-is-absolute@1.0.1", + "installed_version": "1.0.1", + "package": "path-is-absolute", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "path-parse" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/path-parse@1.0.6", + "installed_version": "1.0.6", + "package": "path-parse", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "resolve" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/resolve@1.12.0", + "installed_version": "1.12.0", + "package": "resolve", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "semver" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/semver@5.7.1", + "installed_version": "5.7.1", + "package": "semver", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "sprintf-js" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/sprintf-js@1.0.3", + "installed_version": "1.0.3", + "package": "sprintf-js", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "supports-color" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/supports-color@5.5.0", + "installed_version": "5.5.0", + "package": "supports-color", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "tslib" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/tslib@1.10.0", + "installed_version": "1.10.0", + "package": "tslib", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/tslint@5.20.0", + "installed_version": "5.20.0", + "package": "tslint", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "tsutils" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/tsutils@2.29.0", + "installed_version": "2.29.0", + "package": "tsutils", + "type": "dependency" + }, + { + "dependency_path": [ + "typescript" + ], + "direct_dependency_to_bump": "typescript", + "id": "pkg:npm/typescript@3.6.4", + "installed_version": "3.6.4", + "package": "typescript", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "wrappy" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/wrappy@1.0.2", + "installed_version": "1.0.2", + "package": "wrappy", + "type": "dependency" + }, + { + "advisory_id": "GHSA-f886-m6hf-6m8v", + "fix_version": null, + "id": "adv:GHSA-f886-m6hf-6m8v", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-v6h2-p8h4-qcjw", + "fix_version": null, + "id": "adv:GHSA-v6h2-p8h4-qcjw", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-73rr-hh4g-fpgx", + "fix_version": null, + "id": "adv:GHSA-73rr-hh4g-fpgx", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-h67p-54hq-rp68", + "fix_version": null, + "id": "adv:GHSA-h67p-54hq-rp68", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-mh29-5h37-fv8m", + "fix_version": null, + "id": "adv:GHSA-mh29-5h37-fv8m", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-23c5-xmqv-rm74", + "fix_version": null, + "id": "adv:GHSA-23c5-xmqv-rm74", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-3ppc-4f35-3m26", + "fix_version": null, + "id": "adv:GHSA-3ppc-4f35-3m26", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-7r86-cg39-jmmj", + "fix_version": null, + "id": "adv:GHSA-7r86-cg39-jmmj", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-f8q6-p94x-37v3", + "fix_version": null, + "id": "adv:GHSA-f8q6-p94x-37v3", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "fix_version": null, + "id": "adv:GHSA-vh95-rmgr-6w4m", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-xvch-5gv4-984h", + "fix_version": null, + "id": "adv:GHSA-xvch-5gv4-984h", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-hj48-42vr-x3v9", + "fix_version": null, + "id": "adv:GHSA-hj48-42vr-x3v9", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-c2qf-rxjj-qqgw", + "fix_version": null, + "id": "adv:GHSA-c2qf-rxjj-qqgw", + "severity": "unknown", + "type": "advisory" + } + ] + }, + "installed_version": "1.1.11", + "operator_next_steps": [ + "Bump the listed direct_dependency_to_bump to a version that resolves the advisory.", + "Regenerate the lockfile and re-run this skill against the updated lockfile.", + "Attach the OSV evidence URL, fix path, and runx receipt to the dependency review record." + ], + "package": "brace-expansion", + "project": { + "lockfile_path": null, + "lockfile_source": "https://raw.githubusercontent.com/eclipse-theia/security-audit/master/package-lock.json", + "lockfile_url": "https://raw.githubusercontent.com/eclipse-theia/security-audit/master/package-lock.json", + "name": "eclipse-theia/security-audit", + "url": "https://github.com/eclipse-theia/security-audit" + }, + "retrieved_at": "2026-06-24T00:25:58.356Z", + "schema": "runx.dependency_advisory_graph.v2", + "severity": "unknown", + "validation": { + "advisory_source_mode": "live_osv_querybatch", + "direct_dependency_fix_paths_count": 13, + "exact_version_match": true, + "no_package_name_only_false_positives": true, + "osv_runtime_query_performed": true, + "package_name_only_guard_count": 32, + "target_code_executed": true, + "target_code_execution_note": "The scanner executed against and parsed the target project's dependency lockfile; it did not run application code.", + "target_lockfile_ingested": true, + "target_packages_installed": false + } + }, + "stderr": "", + "stdout": "{\n \"schema\": \"runx.dependency_advisory_graph.v2\",\n \"ecosystem\": \"npm\",\n \"project\": {\n \"name\": \"eclipse-theia/security-audit\",\n \"url\": \"https://github.com/eclipse-theia/security-audit\",\n \"lockfile_source\": \"https://raw.githubusercontent.com/eclipse-theia/security-audit/master/package-lock.json\",\n \"lockfile_path\": null,\n \"lockfile_url\": \"https://raw.githubusercontent.com/eclipse-theia/security-audit/master/package-lock.json\"\n },\n \"package\": \"brace-expansion\",\n \"installed_version\": \"1.1.11\",\n \"advisory_id\": \"GHSA-f886-m6hf-6m8v\",\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v\",\n \"advisory_source\": \"https://api.osv.dev/v1/querybatch\",\n \"retrieved_at\": \"2026-06-24T00:25:58.356Z\",\n \"severity\": \"unknown\",\n \"fix_version\": null,\n \"fix_path\": \"Bump tslint to a version outside the OSV affected range for GHSA-f886-m6hf-6m8v.\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"confidence\": \"high\",\n \"exact_version_match\": true,\n \"findings\": [\n {\n \"package\": \"brace-expansion\",\n \"installed_version\": \"1.1.11\",\n \"dependency_path\": [\n \"tslint\",\n \"brace-expansion\"\n ],\n \"direct_dependency_to_bump\": \"tslint\",\n \"fix_path\": \"Bump tslint to a version outside the OSV affected range for GHSA-f886-m6hf-6m8v.\",\n \"advisory_id\": \"GHSA-f886-m6hf-6m8v\",\n \"aliases\": [],\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v\",\n \"advisory_source\": \"https://api.osv.dev/v1/querybatch\",\n \"retrieved_at\": \"2026-06-24T00:25:58.356Z\",\n \"severity\": \"unknown\",\n \"fix_version\": null,\n \"confidence\": \"high\",\n \"exact_version_match\": true,\n \"ecosystem\": \"npm\",\n \"false_positive_guard\": \"Finding emitted only after OSV query matched package name and exact installed version.\"\n },\n {\n \"package\": \"brace-expansion\",\n \"installed_version\": \"1.1.11\",\n \"dependency_path\": [\n \"tslint\",\n \"brace-expansion\"\n ],\n \"direct_dependency_to_bump\": \"tslint\",\n \"fix_path\": \"Bump tslint to a version outside the OSV affected range for GHSA-v6h2-p8h4-qcjw.\",\n \"advisory_id\": \"GHSA-v6h2-p8h4-qcjw\",\n \"aliases\": [],\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-v6h2-p8h4-qcjw\",\n \"advisory_source\": \"https://api.osv.dev/v1/querybatch\",\n \"retrieved_at\": \"2026-06-24T00:25:58.356Z\",\n \"severity\": \"unknown\",\n \"fix_version\": null,\n \"confidence\": \"high\",\n \"exact_version_match\": true,\n \"ecosystem\": \"npm\",\n \"false_positive_guard\": \"Finding emitted only after OSV query matched package name and exact installed version.\"\n },\n {\n \"package\": \"diff\",\n \"installed_version\": \"4.0.1\",\n \"dependency_path\": [\n \"tslint\",\n \"diff\"\n ],\n \"direct_dependency_to_bump\": \"tslint\",\n \"fix_path\": \"Bump tslint to a version outside the OSV affected range for GHSA-73rr-hh4g-fpgx.\",\n \"advisory_id\": \"GHSA-73rr-hh4g-fpgx\",\n \"aliases\": [],\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-73rr-hh4g-fpgx\",\n \"advisory_source\": \"https://api.osv.dev/v1/querybatch\",\n \"retrieved_at\": \"2026-06-24T00:25:58.356Z\",\n \"severity\": \"unknown\",\n \"fix_version\": null,\n \"confidence\": \"high\",\n \"exact_version_match\": true,\n \"ecosystem\": \"npm\",\n \"false_positive_guard\": \"Finding emitted only after OSV query matched package name and exact installed version.\"\n },\n {\n \"package\": \"js-yaml\",\n \"installed_version\": \"3.13.1\",\n \"dependency_path\": [\n \"tslint\",\n \"js-yaml\"\n ],\n \"direct_dependency_to_bump\": \"tslint\",\n \"fix_path\": \"Bump tslint to a version outside the OSV affected range for GHSA-h67p-54hq-rp68.\",\n \"advisory_id\": \"GHSA-h67p-54hq-rp68\",\n \"aliases\": [],\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-h67p-54hq-rp68\",\n \"advisory_source\": \"https://api.osv.dev/v1/querybatch\",\n \"retrieved_at\": \"2026-06-24T00:25:58.356Z\",\n \"severity\": \"unknown\",\n \"fix_version\": null,\n \"confidence\": \"high\",\n \"exact_version_match\": true,\n \"ecosystem\": \"npm\",\n \"false_positive_guard\": \"Finding emitted only after OSV query matched package name and exact installed version.\"\n },\n {\n \"package\": \"js-yaml\",\n \"installed_version\": \"3.13.1\",\n \"dependency_path\": [\n \"tslint\",\n \"js-yaml\"\n ],\n \"direct_dependency_to_bump\": \"tslint\",\n \"fix_path\": \"Bump tslint to a version outside the OSV affected range for GHSA-mh29-5h37-fv8m.\",\n \"advisory_id\": \"GHSA-mh29-5h37-fv8m\",\n \"aliases\": [],\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-mh29-5h37-fv8m\",\n \"advisory_source\": \"https://api.osv.dev/v1/querybatch\",\n \"retrieved_at\": \"2026-06-24T00:25:58.356Z\",\n \"severity\": \"unknown\",\n \"fix_version\": null,\n \"confidence\": \"high\",\n \"exact_version_match\": true,\n \"ecosystem\": \"npm\",\n \"false_positive_guard\": \"Finding emitted only after OSV query matched package name and exact installed version.\"\n },\n {\n \"package\": \"minimatch\",\n \"installed_version\": \"3.0.4\",\n \"dependency_path\": [\n \"tslint\",\n \"minimatch\"\n ],\n \"direct_dependency_to_bump\": \"tslint\",\n \"fix_path\": \"Bump tslint to a version outside the OSV affected range for GHSA-23c5-xmqv-rm74.\",\n \"advisory_id\": \"GHSA-23c5-xmqv-rm74\",\n \"aliases\": [],\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-23c5-xmqv-rm74\",\n \"advisory_source\": \"https://api.osv.dev/v1/querybatch\",\n \"retrieved_at\": \"2026-06-24T00:25:58.356Z\",\n \"severity\": \"unknown\",\n \"fix_version\": null,\n \"confidence\": \"high\",\n \"exact_version_match\": true,\n \"ecosystem\": \"npm\",\n \"false_positive_guard\": \"Finding emitted only after OSV query matched package name and exact installed version.\"\n },\n {\n \"package\": \"minimatch\",\n \"installed_version\": \"3.0.4\",\n \"dependency_path\": [\n \"tslint\",\n \"minimatch\"\n ],\n \"direct_dependency_to_bump\": \"tslint\",\n \"fix_path\": \"Bump tslint to a version outside the OSV affected range for GHSA-3ppc-4f35-3m26.\",\n \"advisory_id\": \"GHSA-3ppc-4f35-3m26\",\n \"aliases\": [],\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-3ppc-4f35-3m26\",\n \"advisory_source\": \"https://api.osv.dev/v1/querybatch\",\n \"retrieved_at\": \"2026-06-24T00:25:58.356Z\",\n \"severity\": \"unknown\",\n \"fix_version\": null,\n \"confidence\": \"high\",\n \"exact_version_match\": true,\n \"ecosystem\": \"npm\",\n \"false_positive_guard\": \"Finding emitted only after OSV query matched package name and exact installed version.\"\n },\n {\n \"package\": \"minimatch\",\n \"installed_version\": \"3.0.4\",\n \"dependency_path\": [\n \"tslint\",\n \"minimatch\"\n ],\n \"direct_dependency_to_bump\": \"tslint\",\n \"fix_path\": \"Bump tslint to a version outside the OSV affected range for GHSA-7r86-cg39-jmmj.\",\n \"advisory_id\": \"GHSA-7r86-cg39-jmmj\",\n \"aliases\": [],\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-7r86-cg39-jmmj\",\n \"advisory_source\": \"https://api.osv.dev/v1/querybatch\",\n \"retrieved_at\": \"2026-06-24T00:25:58.356Z\",\n \"severity\": \"unknown\",\n \"fix_version\": null,\n \"confidence\": \"high\",\n \"exact_version_match\": true,\n \"ecosystem\": \"npm\",\n \"false_positive_guard\": \"Finding emitted only after OSV query matched package name and exact installed version.\"\n },\n {\n \"package\": \"minimatch\",\n \"installed_version\": \"3.0.4\",\n \"dependency_path\": [\n \"tslint\",\n \"minimatch\"\n ],\n \"direct_dependency_to_bump\": \"tslint\",\n \"fix_path\": \"Bump tslint to a version outside the OSV affected range for GHSA-f8q6-p94x-37v3.\",\n \"advisory_id\": \"GHSA-f8q6-p94x-37v3\",\n \"aliases\": [],\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-f8q6-p94x-37v3\",\n \"advisory_source\": \"https://api.osv.dev/v1/querybatch\",\n \"retrieved_at\": \"2026-06-24T00:25:58.356Z\",\n \"severity\": \"unknown\",\n \"fix_version\": null,\n \"confidence\": \"high\",\n \"exact_version_match\": true,\n \"ecosystem\": \"npm\",\n \"false_positive_guard\": \"Finding emitted only after OSV query matched package name and exact installed version.\"\n },\n {\n \"package\": \"minimist\",\n \"installed_version\": \"0.0.8\",\n \"dependency_path\": [\n \"tslint\",\n \"minimist\"\n ],\n \"direct_dependency_to_bump\": \"tslint\",\n \"fix_path\": \"Bump tslint to a version outside the OSV affected range for GHSA-vh95-rmgr-6w4m.\",\n \"advisory_id\": \"GHSA-vh95-rmgr-6w4m\",\n \"aliases\": [],\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m\",\n \"advisory_source\": \"https://api.osv.dev/v1/querybatch\",\n \"retrieved_at\": \"2026-06-24T00:25:58.356Z\",\n \"severity\": \"unknown\",\n \"fix_version\": null,\n \"confidence\": \"high\",\n \"exact_version_match\": true,\n \"ecosystem\": \"npm\",\n \"false_positive_guard\": \"Finding emitted only after OSV query matched package name and exact installed version.\"\n },\n {\n \"package\": \"minimist\",\n \"installed_version\": \"0.0.8\",\n \"dependency_path\": [\n \"tslint\",\n \"minimist\"\n ],\n \"direct_dependency_to_bump\": \"tslint\",\n \"fix_path\": \"Bump tslint to a version outside the OSV affected range for GHSA-xvch-5gv4-984h.\",\n \"advisory_id\": \"GHSA-xvch-5gv4-984h\",\n \"aliases\": [],\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-xvch-5gv4-984h\",\n \"advisory_source\": \"https://api.osv.dev/v1/querybatch\",\n \"retrieved_at\": \"2026-06-24T00:25:58.356Z\",\n \"severity\": \"unknown\",\n \"fix_version\": null,\n \"confidence\": \"high\",\n \"exact_version_match\": true,\n \"ecosystem\": \"npm\",\n \"false_positive_guard\": \"Finding emitted only after OSV query matched package name and exact installed version.\"\n },\n {\n \"package\": \"path-parse\",\n \"installed_version\": \"1.0.6\",\n \"dependency_path\": [\n \"tslint\",\n \"path-parse\"\n ],\n \"direct_dependency_to_bump\": \"tslint\",\n \"fix_path\": \"Bump tslint to a version outside the OSV affected range for GHSA-hj48-42vr-x3v9.\",\n \"advisory_id\": \"GHSA-hj48-42vr-x3v9\",\n \"aliases\": [],\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-hj48-42vr-x3v9\",\n \"advisory_source\": \"https://api.osv.dev/v1/querybatch\",\n \"retrieved_at\": \"2026-06-24T00:25:58.356Z\",\n \"severity\": \"unknown\",\n \"fix_version\": null,\n \"confidence\": \"high\",\n \"exact_version_match\": true,\n \"ecosystem\": \"npm\",\n \"false_positive_guard\": \"Finding emitted only after OSV query matched package name and exact installed version.\"\n },\n {\n \"package\": \"semver\",\n \"installed_version\": \"5.7.1\",\n \"dependency_path\": [\n \"tslint\",\n \"semver\"\n ],\n \"direct_dependency_to_bump\": \"tslint\",\n \"fix_path\": \"Bump tslint to a version outside the OSV affected range for GHSA-c2qf-rxjj-qqgw.\",\n \"advisory_id\": \"GHSA-c2qf-rxjj-qqgw\",\n \"aliases\": [],\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-c2qf-rxjj-qqgw\",\n \"advisory_source\": \"https://api.osv.dev/v1/querybatch\",\n \"retrieved_at\": \"2026-06-24T00:25:58.356Z\",\n \"severity\": \"unknown\",\n \"fix_version\": null,\n \"confidence\": \"high\",\n \"exact_version_match\": true,\n \"ecosystem\": \"npm\",\n \"false_positive_guard\": \"Finding emitted only after OSV query matched package name and exact installed version.\"\n }\n ],\n \"clean_packages\": [\n {\n \"package\": \"@babel/code-frame\",\n \"installed_version\": \"7.5.5\",\n \"path\": \"@babel/code-frame\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"@babel/code-frame\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"@babel/highlight\",\n \"installed_version\": \"7.5.0\",\n \"path\": \"@babel/highlight\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"@babel/highlight\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"@types/node\",\n \"installed_version\": \"12.11.1\",\n \"path\": \"@types/node\",\n \"direct\": true,\n \"direct_dependency_to_bump\": \"@types/node\",\n \"dependency_path\": [\n \"@types/node\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"ansi-styles\",\n \"installed_version\": \"3.2.1\",\n \"path\": \"ansi-styles\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"ansi-styles\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"argparse\",\n \"installed_version\": \"1.0.10\",\n \"path\": \"argparse\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"argparse\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"balanced-match\",\n \"installed_version\": \"1.0.0\",\n \"path\": \"balanced-match\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"balanced-match\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"builtin-modules\",\n \"installed_version\": \"1.1.1\",\n \"path\": \"builtin-modules\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"builtin-modules\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"chalk\",\n \"installed_version\": \"2.4.2\",\n \"path\": \"chalk\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"chalk\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"color-convert\",\n \"installed_version\": \"1.9.3\",\n \"path\": \"color-convert\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"color-convert\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"color-name\",\n \"installed_version\": \"1.1.3\",\n \"path\": \"color-name\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"color-name\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"commander\",\n \"installed_version\": \"2.20.3\",\n \"path\": \"commander\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"commander\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"concat-map\",\n \"installed_version\": \"0.0.1\",\n \"path\": \"concat-map\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"concat-map\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"escape-string-regexp\",\n \"installed_version\": \"1.0.5\",\n \"path\": \"escape-string-regexp\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"escape-string-regexp\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"esprima\",\n \"installed_version\": \"4.0.1\",\n \"path\": \"esprima\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"esprima\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"esutils\",\n \"installed_version\": \"2.0.3\",\n \"path\": \"esutils\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"esutils\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"fs.realpath\",\n \"installed_version\": \"1.0.0\",\n \"path\": \"fs.realpath\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"fs.realpath\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"glob\",\n \"installed_version\": \"7.1.4\",\n \"path\": \"glob\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"glob\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"has-flag\",\n \"installed_version\": \"3.0.0\",\n \"path\": \"has-flag\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"has-flag\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"inflight\",\n \"installed_version\": \"1.0.6\",\n \"path\": \"inflight\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"inflight\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"inherits\",\n \"installed_version\": \"2.0.4\",\n \"path\": \"inherits\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"inherits\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"js-tokens\",\n \"installed_version\": \"4.0.0\",\n \"path\": \"js-tokens\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"js-tokens\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"mkdirp\",\n \"installed_version\": \"0.5.1\",\n \"path\": \"mkdirp\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"mkdirp\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"once\",\n \"installed_version\": \"1.4.0\",\n \"path\": \"once\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"once\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"path-is-absolute\",\n \"installed_version\": \"1.0.1\",\n \"path\": \"path-is-absolute\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"path-is-absolute\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"resolve\",\n \"installed_version\": \"1.12.0\",\n \"path\": \"resolve\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"resolve\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"sprintf-js\",\n \"installed_version\": \"1.0.3\",\n \"path\": \"sprintf-js\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"sprintf-js\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"supports-color\",\n \"installed_version\": \"5.5.0\",\n \"path\": \"supports-color\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"supports-color\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"tslib\",\n \"installed_version\": \"1.10.0\",\n \"path\": \"tslib\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"tslib\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"tslint\",\n \"installed_version\": \"5.20.0\",\n \"path\": \"tslint\",\n \"direct\": true,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"tsutils\",\n \"installed_version\": \"2.29.0\",\n \"path\": \"tsutils\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"tsutils\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"typescript\",\n \"installed_version\": \"3.6.4\",\n \"path\": \"typescript\",\n \"direct\": true,\n \"direct_dependency_to_bump\": \"typescript\",\n \"dependency_path\": [\n \"typescript\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n },\n {\n \"package\": \"wrappy\",\n \"installed_version\": \"1.0.2\",\n \"path\": \"wrappy\",\n \"direct\": false,\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"wrappy\"\n ],\n \"confidence\": \"high\",\n \"false_positive_guard\": \"No finding was emitted because OSV returned no advisory for this exact package and installed version.\"\n }\n ],\n \"graph\": {\n \"nodes\": [\n {\n \"id\": \"pkg:npm/@babel/code-frame@7.5.5\",\n \"type\": \"dependency\",\n \"package\": \"@babel/code-frame\",\n \"installed_version\": \"7.5.5\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"@babel/code-frame\"\n ]\n },\n {\n \"id\": \"pkg:npm/@babel/highlight@7.5.0\",\n \"type\": \"dependency\",\n \"package\": \"@babel/highlight\",\n \"installed_version\": \"7.5.0\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"@babel/highlight\"\n ]\n },\n {\n \"id\": \"pkg:npm/@types/node@12.11.1\",\n \"type\": \"dependency\",\n \"package\": \"@types/node\",\n \"installed_version\": \"12.11.1\",\n \"direct_dependency_to_bump\": \"@types/node\",\n \"dependency_path\": [\n \"@types/node\"\n ]\n },\n {\n \"id\": \"pkg:npm/ansi-styles@3.2.1\",\n \"type\": \"dependency\",\n \"package\": \"ansi-styles\",\n \"installed_version\": \"3.2.1\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"ansi-styles\"\n ]\n },\n {\n \"id\": \"pkg:npm/argparse@1.0.10\",\n \"type\": \"dependency\",\n \"package\": \"argparse\",\n \"installed_version\": \"1.0.10\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"argparse\"\n ]\n },\n {\n \"id\": \"pkg:npm/balanced-match@1.0.0\",\n \"type\": \"dependency\",\n \"package\": \"balanced-match\",\n \"installed_version\": \"1.0.0\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"balanced-match\"\n ]\n },\n {\n \"id\": \"pkg:npm/brace-expansion@1.1.11\",\n \"type\": \"dependency\",\n \"package\": \"brace-expansion\",\n \"installed_version\": \"1.1.11\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"brace-expansion\"\n ]\n },\n {\n \"id\": \"pkg:npm/builtin-modules@1.1.1\",\n \"type\": \"dependency\",\n \"package\": \"builtin-modules\",\n \"installed_version\": \"1.1.1\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"builtin-modules\"\n ]\n },\n {\n \"id\": \"pkg:npm/chalk@2.4.2\",\n \"type\": \"dependency\",\n \"package\": \"chalk\",\n \"installed_version\": \"2.4.2\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"chalk\"\n ]\n },\n {\n \"id\": \"pkg:npm/color-convert@1.9.3\",\n \"type\": \"dependency\",\n \"package\": \"color-convert\",\n \"installed_version\": \"1.9.3\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"color-convert\"\n ]\n },\n {\n \"id\": \"pkg:npm/color-name@1.1.3\",\n \"type\": \"dependency\",\n \"package\": \"color-name\",\n \"installed_version\": \"1.1.3\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"color-name\"\n ]\n },\n {\n \"id\": \"pkg:npm/commander@2.20.3\",\n \"type\": \"dependency\",\n \"package\": \"commander\",\n \"installed_version\": \"2.20.3\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"commander\"\n ]\n },\n {\n \"id\": \"pkg:npm/concat-map@0.0.1\",\n \"type\": \"dependency\",\n \"package\": \"concat-map\",\n \"installed_version\": \"0.0.1\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"concat-map\"\n ]\n },\n {\n \"id\": \"pkg:npm/diff@4.0.1\",\n \"type\": \"dependency\",\n \"package\": \"diff\",\n \"installed_version\": \"4.0.1\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"diff\"\n ]\n },\n {\n \"id\": \"pkg:npm/escape-string-regexp@1.0.5\",\n \"type\": \"dependency\",\n \"package\": \"escape-string-regexp\",\n \"installed_version\": \"1.0.5\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"escape-string-regexp\"\n ]\n },\n {\n \"id\": \"pkg:npm/esprima@4.0.1\",\n \"type\": \"dependency\",\n \"package\": \"esprima\",\n \"installed_version\": \"4.0.1\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"esprima\"\n ]\n },\n {\n \"id\": \"pkg:npm/esutils@2.0.3\",\n \"type\": \"dependency\",\n \"package\": \"esutils\",\n \"installed_version\": \"2.0.3\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"esutils\"\n ]\n },\n {\n \"id\": \"pkg:npm/fs.realpath@1.0.0\",\n \"type\": \"dependency\",\n \"package\": \"fs.realpath\",\n \"installed_version\": \"1.0.0\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"fs.realpath\"\n ]\n },\n {\n \"id\": \"pkg:npm/glob@7.1.4\",\n \"type\": \"dependency\",\n \"package\": \"glob\",\n \"installed_version\": \"7.1.4\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"glob\"\n ]\n },\n {\n \"id\": \"pkg:npm/has-flag@3.0.0\",\n \"type\": \"dependency\",\n \"package\": \"has-flag\",\n \"installed_version\": \"3.0.0\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"has-flag\"\n ]\n },\n {\n \"id\": \"pkg:npm/inflight@1.0.6\",\n \"type\": \"dependency\",\n \"package\": \"inflight\",\n \"installed_version\": \"1.0.6\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"inflight\"\n ]\n },\n {\n \"id\": \"pkg:npm/inherits@2.0.4\",\n \"type\": \"dependency\",\n \"package\": \"inherits\",\n \"installed_version\": \"2.0.4\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"inherits\"\n ]\n },\n {\n \"id\": \"pkg:npm/js-tokens@4.0.0\",\n \"type\": \"dependency\",\n \"package\": \"js-tokens\",\n \"installed_version\": \"4.0.0\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"js-tokens\"\n ]\n },\n {\n \"id\": \"pkg:npm/js-yaml@3.13.1\",\n \"type\": \"dependency\",\n \"package\": \"js-yaml\",\n \"installed_version\": \"3.13.1\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"js-yaml\"\n ]\n },\n {\n \"id\": \"pkg:npm/minimatch@3.0.4\",\n \"type\": \"dependency\",\n \"package\": \"minimatch\",\n \"installed_version\": \"3.0.4\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"minimatch\"\n ]\n },\n {\n \"id\": \"pkg:npm/minimist@0.0.8\",\n \"type\": \"dependency\",\n \"package\": \"minimist\",\n \"installed_version\": \"0.0.8\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"minimist\"\n ]\n },\n {\n \"id\": \"pkg:npm/mkdirp@0.5.1\",\n \"type\": \"dependency\",\n \"package\": \"mkdirp\",\n \"installed_version\": \"0.5.1\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"mkdirp\"\n ]\n },\n {\n \"id\": \"pkg:npm/once@1.4.0\",\n \"type\": \"dependency\",\n \"package\": \"once\",\n \"installed_version\": \"1.4.0\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"once\"\n ]\n },\n {\n \"id\": \"pkg:npm/path-is-absolute@1.0.1\",\n \"type\": \"dependency\",\n \"package\": \"path-is-absolute\",\n \"installed_version\": \"1.0.1\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"path-is-absolute\"\n ]\n },\n {\n \"id\": \"pkg:npm/path-parse@1.0.6\",\n \"type\": \"dependency\",\n \"package\": \"path-parse\",\n \"installed_version\": \"1.0.6\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"path-parse\"\n ]\n },\n {\n \"id\": \"pkg:npm/resolve@1.12.0\",\n \"type\": \"dependency\",\n \"package\": \"resolve\",\n \"installed_version\": \"1.12.0\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"resolve\"\n ]\n },\n {\n \"id\": \"pkg:npm/semver@5.7.1\",\n \"type\": \"dependency\",\n \"package\": \"semver\",\n \"installed_version\": \"5.7.1\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"semver\"\n ]\n },\n {\n \"id\": \"pkg:npm/sprintf-js@1.0.3\",\n \"type\": \"dependency\",\n \"package\": \"sprintf-js\",\n \"installed_version\": \"1.0.3\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"sprintf-js\"\n ]\n },\n {\n \"id\": \"pkg:npm/supports-color@5.5.0\",\n \"type\": \"dependency\",\n \"package\": \"supports-color\",\n \"installed_version\": \"5.5.0\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"supports-color\"\n ]\n },\n {\n \"id\": \"pkg:npm/tslib@1.10.0\",\n \"type\": \"dependency\",\n \"package\": \"tslib\",\n \"installed_version\": \"1.10.0\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"tslib\"\n ]\n },\n {\n \"id\": \"pkg:npm/tslint@5.20.0\",\n \"type\": \"dependency\",\n \"package\": \"tslint\",\n \"installed_version\": \"5.20.0\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\"\n ]\n },\n {\n \"id\": \"pkg:npm/tsutils@2.29.0\",\n \"type\": \"dependency\",\n \"package\": \"tsutils\",\n \"installed_version\": \"2.29.0\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"tsutils\"\n ]\n },\n {\n \"id\": \"pkg:npm/typescript@3.6.4\",\n \"type\": \"dependency\",\n \"package\": \"typescript\",\n \"installed_version\": \"3.6.4\",\n \"direct_dependency_to_bump\": \"typescript\",\n \"dependency_path\": [\n \"typescript\"\n ]\n },\n {\n \"id\": \"pkg:npm/wrappy@1.0.2\",\n \"type\": \"dependency\",\n \"package\": \"wrappy\",\n \"installed_version\": \"1.0.2\",\n \"direct_dependency_to_bump\": \"tslint\",\n \"dependency_path\": [\n \"tslint\",\n \"wrappy\"\n ]\n },\n {\n \"id\": \"adv:GHSA-f886-m6hf-6m8v\",\n \"type\": \"advisory\",\n \"advisory_id\": \"GHSA-f886-m6hf-6m8v\",\n \"severity\": \"unknown\",\n \"fix_version\": null\n },\n {\n \"id\": \"adv:GHSA-v6h2-p8h4-qcjw\",\n \"type\": \"advisory\",\n \"advisory_id\": \"GHSA-v6h2-p8h4-qcjw\",\n \"severity\": \"unknown\",\n \"fix_version\": null\n },\n {\n \"id\": \"adv:GHSA-73rr-hh4g-fpgx\",\n \"type\": \"advisory\",\n \"advisory_id\": \"GHSA-73rr-hh4g-fpgx\",\n \"severity\": \"unknown\",\n \"fix_version\": null\n },\n {\n \"id\": \"adv:GHSA-h67p-54hq-rp68\",\n \"type\": \"advisory\",\n \"advisory_id\": \"GHSA-h67p-54hq-rp68\",\n \"severity\": \"unknown\",\n \"fix_version\": null\n },\n {\n \"id\": \"adv:GHSA-mh29-5h37-fv8m\",\n \"type\": \"advisory\",\n \"advisory_id\": \"GHSA-mh29-5h37-fv8m\",\n \"severity\": \"unknown\",\n \"fix_version\": null\n },\n {\n \"id\": \"adv:GHSA-23c5-xmqv-rm74\",\n \"type\": \"advisory\",\n \"advisory_id\": \"GHSA-23c5-xmqv-rm74\",\n \"severity\": \"unknown\",\n \"fix_version\": null\n },\n {\n \"id\": \"adv:GHSA-3ppc-4f35-3m26\",\n \"type\": \"advisory\",\n \"advisory_id\": \"GHSA-3ppc-4f35-3m26\",\n \"severity\": \"unknown\",\n \"fix_version\": null\n },\n {\n \"id\": \"adv:GHSA-7r86-cg39-jmmj\",\n \"type\": \"advisory\",\n \"advisory_id\": \"GHSA-7r86-cg39-jmmj\",\n \"severity\": \"unknown\",\n \"fix_version\": null\n },\n {\n \"id\": \"adv:GHSA-f8q6-p94x-37v3\",\n \"type\": \"advisory\",\n \"advisory_id\": \"GHSA-f8q6-p94x-37v3\",\n \"severity\": \"unknown\",\n \"fix_version\": null\n },\n {\n \"id\": \"adv:GHSA-vh95-rmgr-6w4m\",\n \"type\": \"advisory\",\n \"advisory_id\": \"GHSA-vh95-rmgr-6w4m\",\n \"severity\": \"unknown\",\n \"fix_version\": null\n },\n {\n \"id\": \"adv:GHSA-xvch-5gv4-984h\",\n \"type\": \"advisory\",\n \"advisory_id\": \"GHSA-xvch-5gv4-984h\",\n \"severity\": \"unknown\",\n \"fix_version\": null\n },\n {\n \"id\": \"adv:GHSA-hj48-42vr-x3v9\",\n \"type\": \"advisory\",\n \"advisory_id\": \"GHSA-hj48-42vr-x3v9\",\n \"severity\": \"unknown\",\n \"fix_version\": null\n },\n {\n \"id\": \"adv:GHSA-c2qf-rxjj-qqgw\",\n \"type\": \"advisory\",\n \"advisory_id\": \"GHSA-c2qf-rxjj-qqgw\",\n \"severity\": \"unknown\",\n \"fix_version\": null\n }\n ],\n \"edges\": [\n {\n \"from\": \"pkg:npm/brace-expansion@1.1.11\",\n \"to\": \"adv:GHSA-f886-m6hf-6m8v\",\n \"relationship\": \"osv_exact_version_matches_advisory\",\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v\",\n \"direct_dependency_to_bump\": \"tslint\"\n },\n {\n \"from\": \"pkg:npm/brace-expansion@1.1.11\",\n \"to\": \"adv:GHSA-v6h2-p8h4-qcjw\",\n \"relationship\": \"osv_exact_version_matches_advisory\",\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-v6h2-p8h4-qcjw\",\n \"direct_dependency_to_bump\": \"tslint\"\n },\n {\n \"from\": \"pkg:npm/diff@4.0.1\",\n \"to\": \"adv:GHSA-73rr-hh4g-fpgx\",\n \"relationship\": \"osv_exact_version_matches_advisory\",\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-73rr-hh4g-fpgx\",\n \"direct_dependency_to_bump\": \"tslint\"\n },\n {\n \"from\": \"pkg:npm/js-yaml@3.13.1\",\n \"to\": \"adv:GHSA-h67p-54hq-rp68\",\n \"relationship\": \"osv_exact_version_matches_advisory\",\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-h67p-54hq-rp68\",\n \"direct_dependency_to_bump\": \"tslint\"\n },\n {\n \"from\": \"pkg:npm/js-yaml@3.13.1\",\n \"to\": \"adv:GHSA-mh29-5h37-fv8m\",\n \"relationship\": \"osv_exact_version_matches_advisory\",\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-mh29-5h37-fv8m\",\n \"direct_dependency_to_bump\": \"tslint\"\n },\n {\n \"from\": \"pkg:npm/minimatch@3.0.4\",\n \"to\": \"adv:GHSA-23c5-xmqv-rm74\",\n \"relationship\": \"osv_exact_version_matches_advisory\",\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-23c5-xmqv-rm74\",\n \"direct_dependency_to_bump\": \"tslint\"\n },\n {\n \"from\": \"pkg:npm/minimatch@3.0.4\",\n \"to\": \"adv:GHSA-3ppc-4f35-3m26\",\n \"relationship\": \"osv_exact_version_matches_advisory\",\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-3ppc-4f35-3m26\",\n \"direct_dependency_to_bump\": \"tslint\"\n },\n {\n \"from\": \"pkg:npm/minimatch@3.0.4\",\n \"to\": \"adv:GHSA-7r86-cg39-jmmj\",\n \"relationship\": \"osv_exact_version_matches_advisory\",\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-7r86-cg39-jmmj\",\n \"direct_dependency_to_bump\": \"tslint\"\n },\n {\n \"from\": \"pkg:npm/minimatch@3.0.4\",\n \"to\": \"adv:GHSA-f8q6-p94x-37v3\",\n \"relationship\": \"osv_exact_version_matches_advisory\",\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-f8q6-p94x-37v3\",\n \"direct_dependency_to_bump\": \"tslint\"\n },\n {\n \"from\": \"pkg:npm/minimist@0.0.8\",\n \"to\": \"adv:GHSA-vh95-rmgr-6w4m\",\n \"relationship\": \"osv_exact_version_matches_advisory\",\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m\",\n \"direct_dependency_to_bump\": \"tslint\"\n },\n {\n \"from\": \"pkg:npm/minimist@0.0.8\",\n \"to\": \"adv:GHSA-xvch-5gv4-984h\",\n \"relationship\": \"osv_exact_version_matches_advisory\",\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-xvch-5gv4-984h\",\n \"direct_dependency_to_bump\": \"tslint\"\n },\n {\n \"from\": \"pkg:npm/path-parse@1.0.6\",\n \"to\": \"adv:GHSA-hj48-42vr-x3v9\",\n \"relationship\": \"osv_exact_version_matches_advisory\",\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-hj48-42vr-x3v9\",\n \"direct_dependency_to_bump\": \"tslint\"\n },\n {\n \"from\": \"pkg:npm/semver@5.7.1\",\n \"to\": \"adv:GHSA-c2qf-rxjj-qqgw\",\n \"relationship\": \"osv_exact_version_matches_advisory\",\n \"evidence_url\": \"https://osv.dev/vulnerability/GHSA-c2qf-rxjj-qqgw\",\n \"direct_dependency_to_bump\": \"tslint\"\n }\n ]\n },\n \"false_positive_guards\": [\n {\n \"package\": \"@babel/code-frame\",\n \"installed_version\": \"7.5.5\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"@babel/highlight\",\n \"installed_version\": \"7.5.0\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"@types/node\",\n \"installed_version\": \"12.11.1\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"ansi-styles\",\n \"installed_version\": \"3.2.1\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"argparse\",\n \"installed_version\": \"1.0.10\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"balanced-match\",\n \"installed_version\": \"1.0.0\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"builtin-modules\",\n \"installed_version\": \"1.1.1\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"chalk\",\n \"installed_version\": \"2.4.2\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"color-convert\",\n \"installed_version\": \"1.9.3\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"color-name\",\n \"installed_version\": \"1.1.3\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"commander\",\n \"installed_version\": \"2.20.3\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"concat-map\",\n \"installed_version\": \"0.0.1\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"escape-string-regexp\",\n \"installed_version\": \"1.0.5\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"esprima\",\n \"installed_version\": \"4.0.1\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"esutils\",\n \"installed_version\": \"2.0.3\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"fs.realpath\",\n \"installed_version\": \"1.0.0\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"glob\",\n \"installed_version\": \"7.1.4\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"has-flag\",\n \"installed_version\": \"3.0.0\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"inflight\",\n \"installed_version\": \"1.0.6\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"inherits\",\n \"installed_version\": \"2.0.4\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"js-tokens\",\n \"installed_version\": \"4.0.0\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"mkdirp\",\n \"installed_version\": \"0.5.1\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"once\",\n \"installed_version\": \"1.4.0\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"path-is-absolute\",\n \"installed_version\": \"1.0.1\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"resolve\",\n \"installed_version\": \"1.12.0\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"sprintf-js\",\n \"installed_version\": \"1.0.3\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"supports-color\",\n \"installed_version\": \"5.5.0\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"tslib\",\n \"installed_version\": \"1.10.0\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"tslint\",\n \"installed_version\": \"5.20.0\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"tsutils\",\n \"installed_version\": \"2.29.0\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"typescript\",\n \"installed_version\": \"3.6.4\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n },\n {\n \"package\": \"wrappy\",\n \"installed_version\": \"1.0.2\",\n \"guard\": \"OSV returned no vulnerability for this exact package and installed version.\"\n }\n ],\n \"validation\": {\n \"exact_version_match\": true,\n \"no_package_name_only_false_positives\": true,\n \"package_name_only_guard_count\": 32,\n \"target_lockfile_ingested\": true,\n \"target_code_executed\": true,\n \"target_code_execution_note\": \"The scanner executed against and parsed the target project's dependency lockfile; it did not run application code.\",\n \"target_packages_installed\": false,\n \"osv_runtime_query_performed\": true,\n \"advisory_source_mode\": \"live_osv_querybatch\",\n \"direct_dependency_fix_paths_count\": 13\n },\n \"operator_next_steps\": [\n \"Bump the listed direct_dependency_to_bump to a version that resolves the advisory.\",\n \"Regenerate the lockfile and re-run this skill against the updated lockfile.\",\n \"Attach the OSV evidence URL, fix path, and runx receipt to the dependency review record.\"\n ]\n}\n", + "structured_output": { + "advisory_id": "GHSA-f886-m6hf-6m8v", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "clean_packages": [ + { + "confidence": "high", + "dependency_path": [ + "tslint", + "@babel/code-frame" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "7.5.5", + "package": "@babel/code-frame", + "path": "@babel/code-frame" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "@babel/highlight" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "7.5.0", + "package": "@babel/highlight", + "path": "@babel/highlight" + }, + { + "confidence": "high", + "dependency_path": [ + "@types/node" + ], + "direct": true, + "direct_dependency_to_bump": "@types/node", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "12.11.1", + "package": "@types/node", + "path": "@types/node" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "ansi-styles" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "3.2.1", + "package": "ansi-styles", + "path": "ansi-styles" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "argparse" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.10", + "package": "argparse", + "path": "argparse" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "balanced-match" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.0", + "package": "balanced-match", + "path": "balanced-match" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "builtin-modules" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.1.1", + "package": "builtin-modules", + "path": "builtin-modules" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "chalk" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.4.2", + "package": "chalk", + "path": "chalk" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "color-convert" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.9.3", + "package": "color-convert", + "path": "color-convert" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "color-name" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.1.3", + "package": "color-name", + "path": "color-name" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "commander" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.20.3", + "package": "commander", + "path": "commander" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "concat-map" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "0.0.1", + "package": "concat-map", + "path": "concat-map" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "escape-string-regexp" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.5", + "package": "escape-string-regexp", + "path": "escape-string-regexp" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "esprima" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "4.0.1", + "package": "esprima", + "path": "esprima" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "esutils" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.0.3", + "package": "esutils", + "path": "esutils" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "fs.realpath" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.0", + "package": "fs.realpath", + "path": "fs.realpath" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "glob" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "7.1.4", + "package": "glob", + "path": "glob" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "has-flag" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "3.0.0", + "package": "has-flag", + "path": "has-flag" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "inflight" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.6", + "package": "inflight", + "path": "inflight" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "inherits" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.0.4", + "package": "inherits", + "path": "inherits" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "js-tokens" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "4.0.0", + "package": "js-tokens", + "path": "js-tokens" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "mkdirp" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "0.5.1", + "package": "mkdirp", + "path": "mkdirp" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "once" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.4.0", + "package": "once", + "path": "once" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "path-is-absolute" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.1", + "package": "path-is-absolute", + "path": "path-is-absolute" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "resolve" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.12.0", + "package": "resolve", + "path": "resolve" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "sprintf-js" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.3", + "package": "sprintf-js", + "path": "sprintf-js" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "supports-color" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "5.5.0", + "package": "supports-color", + "path": "supports-color" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "tslib" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.10.0", + "package": "tslib", + "path": "tslib" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint" + ], + "direct": true, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "5.20.0", + "package": "tslint", + "path": "tslint" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "tsutils" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.29.0", + "package": "tsutils", + "path": "tsutils" + }, + { + "confidence": "high", + "dependency_path": [ + "typescript" + ], + "direct": true, + "direct_dependency_to_bump": "typescript", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "3.6.4", + "package": "typescript", + "path": "typescript" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "wrappy" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.2", + "package": "wrappy", + "path": "wrappy" + } + ], + "confidence": "high", + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v", + "exact_version_match": true, + "false_positive_guards": [ + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "7.5.5", + "package": "@babel/code-frame" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "7.5.0", + "package": "@babel/highlight" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "12.11.1", + "package": "@types/node" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "3.2.1", + "package": "ansi-styles" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.10", + "package": "argparse" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.0", + "package": "balanced-match" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.1.1", + "package": "builtin-modules" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.4.2", + "package": "chalk" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.9.3", + "package": "color-convert" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.1.3", + "package": "color-name" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.20.3", + "package": "commander" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "0.0.1", + "package": "concat-map" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.5", + "package": "escape-string-regexp" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "4.0.1", + "package": "esprima" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.0.3", + "package": "esutils" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.0", + "package": "fs.realpath" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "7.1.4", + "package": "glob" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "3.0.0", + "package": "has-flag" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.6", + "package": "inflight" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.0.4", + "package": "inherits" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "4.0.0", + "package": "js-tokens" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "0.5.1", + "package": "mkdirp" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.4.0", + "package": "once" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.1", + "package": "path-is-absolute" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.12.0", + "package": "resolve" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.3", + "package": "sprintf-js" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "5.5.0", + "package": "supports-color" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.10.0", + "package": "tslib" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "5.20.0", + "package": "tslint" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.29.0", + "package": "tsutils" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "3.6.4", + "package": "typescript" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.2", + "package": "wrappy" + } + ], + "findings": [ + { + "advisory_id": "GHSA-f886-m6hf-6m8v", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "brace-expansion" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-f886-m6hf-6m8v.", + "fix_version": null, + "installed_version": "1.1.11", + "package": "brace-expansion", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-v6h2-p8h4-qcjw", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "brace-expansion" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-v6h2-p8h4-qcjw", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-v6h2-p8h4-qcjw.", + "fix_version": null, + "installed_version": "1.1.11", + "package": "brace-expansion", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-73rr-hh4g-fpgx", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "diff" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-73rr-hh4g-fpgx", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-73rr-hh4g-fpgx.", + "fix_version": null, + "installed_version": "4.0.1", + "package": "diff", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-h67p-54hq-rp68", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "js-yaml" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-h67p-54hq-rp68", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-h67p-54hq-rp68.", + "fix_version": null, + "installed_version": "3.13.1", + "package": "js-yaml", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-mh29-5h37-fv8m", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "js-yaml" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-mh29-5h37-fv8m", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-mh29-5h37-fv8m.", + "fix_version": null, + "installed_version": "3.13.1", + "package": "js-yaml", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-23c5-xmqv-rm74", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-23c5-xmqv-rm74", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-23c5-xmqv-rm74.", + "fix_version": null, + "installed_version": "3.0.4", + "package": "minimatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-3ppc-4f35-3m26", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-3ppc-4f35-3m26", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-3ppc-4f35-3m26.", + "fix_version": null, + "installed_version": "3.0.4", + "package": "minimatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-7r86-cg39-jmmj", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-7r86-cg39-jmmj", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-7r86-cg39-jmmj.", + "fix_version": null, + "installed_version": "3.0.4", + "package": "minimatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-f8q6-p94x-37v3", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f8q6-p94x-37v3", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-f8q6-p94x-37v3.", + "fix_version": null, + "installed_version": "3.0.4", + "package": "minimatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimist" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-vh95-rmgr-6w4m.", + "fix_version": null, + "installed_version": "0.0.8", + "package": "minimist", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-xvch-5gv4-984h", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimist" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-xvch-5gv4-984h", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-xvch-5gv4-984h.", + "fix_version": null, + "installed_version": "0.0.8", + "package": "minimist", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-hj48-42vr-x3v9", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "path-parse" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-hj48-42vr-x3v9", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-hj48-42vr-x3v9.", + "fix_version": null, + "installed_version": "1.0.6", + "package": "path-parse", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-c2qf-rxjj-qqgw", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "semver" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-c2qf-rxjj-qqgw", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-c2qf-rxjj-qqgw.", + "fix_version": null, + "installed_version": "5.7.1", + "package": "semver", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + } + ], + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-f886-m6hf-6m8v.", + "fix_version": null, + "graph": { + "edges": [ + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v", + "from": "pkg:npm/brace-expansion@1.1.11", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-f886-m6hf-6m8v" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-v6h2-p8h4-qcjw", + "from": "pkg:npm/brace-expansion@1.1.11", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-v6h2-p8h4-qcjw" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-73rr-hh4g-fpgx", + "from": "pkg:npm/diff@4.0.1", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-73rr-hh4g-fpgx" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-h67p-54hq-rp68", + "from": "pkg:npm/js-yaml@3.13.1", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-h67p-54hq-rp68" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-mh29-5h37-fv8m", + "from": "pkg:npm/js-yaml@3.13.1", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-mh29-5h37-fv8m" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-23c5-xmqv-rm74", + "from": "pkg:npm/minimatch@3.0.4", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-23c5-xmqv-rm74" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-3ppc-4f35-3m26", + "from": "pkg:npm/minimatch@3.0.4", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-3ppc-4f35-3m26" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-7r86-cg39-jmmj", + "from": "pkg:npm/minimatch@3.0.4", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-7r86-cg39-jmmj" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f8q6-p94x-37v3", + "from": "pkg:npm/minimatch@3.0.4", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-f8q6-p94x-37v3" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "from": "pkg:npm/minimist@0.0.8", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-vh95-rmgr-6w4m" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-xvch-5gv4-984h", + "from": "pkg:npm/minimist@0.0.8", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-xvch-5gv4-984h" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-hj48-42vr-x3v9", + "from": "pkg:npm/path-parse@1.0.6", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-hj48-42vr-x3v9" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-c2qf-rxjj-qqgw", + "from": "pkg:npm/semver@5.7.1", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-c2qf-rxjj-qqgw" + } + ], + "nodes": [ + { + "dependency_path": [ + "tslint", + "@babel/code-frame" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/@babel/code-frame@7.5.5", + "installed_version": "7.5.5", + "package": "@babel/code-frame", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "@babel/highlight" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/@babel/highlight@7.5.0", + "installed_version": "7.5.0", + "package": "@babel/highlight", + "type": "dependency" + }, + { + "dependency_path": [ + "@types/node" + ], + "direct_dependency_to_bump": "@types/node", + "id": "pkg:npm/@types/node@12.11.1", + "installed_version": "12.11.1", + "package": "@types/node", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "ansi-styles" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/ansi-styles@3.2.1", + "installed_version": "3.2.1", + "package": "ansi-styles", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "argparse" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/argparse@1.0.10", + "installed_version": "1.0.10", + "package": "argparse", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "balanced-match" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/balanced-match@1.0.0", + "installed_version": "1.0.0", + "package": "balanced-match", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "brace-expansion" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/brace-expansion@1.1.11", + "installed_version": "1.1.11", + "package": "brace-expansion", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "builtin-modules" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/builtin-modules@1.1.1", + "installed_version": "1.1.1", + "package": "builtin-modules", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "chalk" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/chalk@2.4.2", + "installed_version": "2.4.2", + "package": "chalk", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "color-convert" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/color-convert@1.9.3", + "installed_version": "1.9.3", + "package": "color-convert", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "color-name" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/color-name@1.1.3", + "installed_version": "1.1.3", + "package": "color-name", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "commander" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/commander@2.20.3", + "installed_version": "2.20.3", + "package": "commander", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "concat-map" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/concat-map@0.0.1", + "installed_version": "0.0.1", + "package": "concat-map", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "diff" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/diff@4.0.1", + "installed_version": "4.0.1", + "package": "diff", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "escape-string-regexp" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/escape-string-regexp@1.0.5", + "installed_version": "1.0.5", + "package": "escape-string-regexp", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "esprima" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/esprima@4.0.1", + "installed_version": "4.0.1", + "package": "esprima", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "esutils" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/esutils@2.0.3", + "installed_version": "2.0.3", + "package": "esutils", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "fs.realpath" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/fs.realpath@1.0.0", + "installed_version": "1.0.0", + "package": "fs.realpath", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "glob" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/glob@7.1.4", + "installed_version": "7.1.4", + "package": "glob", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "has-flag" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/has-flag@3.0.0", + "installed_version": "3.0.0", + "package": "has-flag", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "inflight" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/inflight@1.0.6", + "installed_version": "1.0.6", + "package": "inflight", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "inherits" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/inherits@2.0.4", + "installed_version": "2.0.4", + "package": "inherits", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "js-tokens" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/js-tokens@4.0.0", + "installed_version": "4.0.0", + "package": "js-tokens", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "js-yaml" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/js-yaml@3.13.1", + "installed_version": "3.13.1", + "package": "js-yaml", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/minimatch@3.0.4", + "installed_version": "3.0.4", + "package": "minimatch", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "minimist" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/minimist@0.0.8", + "installed_version": "0.0.8", + "package": "minimist", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "mkdirp" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/mkdirp@0.5.1", + "installed_version": "0.5.1", + "package": "mkdirp", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "once" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/once@1.4.0", + "installed_version": "1.4.0", + "package": "once", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "path-is-absolute" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/path-is-absolute@1.0.1", + "installed_version": "1.0.1", + "package": "path-is-absolute", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "path-parse" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/path-parse@1.0.6", + "installed_version": "1.0.6", + "package": "path-parse", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "resolve" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/resolve@1.12.0", + "installed_version": "1.12.0", + "package": "resolve", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "semver" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/semver@5.7.1", + "installed_version": "5.7.1", + "package": "semver", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "sprintf-js" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/sprintf-js@1.0.3", + "installed_version": "1.0.3", + "package": "sprintf-js", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "supports-color" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/supports-color@5.5.0", + "installed_version": "5.5.0", + "package": "supports-color", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "tslib" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/tslib@1.10.0", + "installed_version": "1.10.0", + "package": "tslib", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/tslint@5.20.0", + "installed_version": "5.20.0", + "package": "tslint", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "tsutils" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/tsutils@2.29.0", + "installed_version": "2.29.0", + "package": "tsutils", + "type": "dependency" + }, + { + "dependency_path": [ + "typescript" + ], + "direct_dependency_to_bump": "typescript", + "id": "pkg:npm/typescript@3.6.4", + "installed_version": "3.6.4", + "package": "typescript", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "wrappy" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/wrappy@1.0.2", + "installed_version": "1.0.2", + "package": "wrappy", + "type": "dependency" + }, + { + "advisory_id": "GHSA-f886-m6hf-6m8v", + "fix_version": null, + "id": "adv:GHSA-f886-m6hf-6m8v", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-v6h2-p8h4-qcjw", + "fix_version": null, + "id": "adv:GHSA-v6h2-p8h4-qcjw", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-73rr-hh4g-fpgx", + "fix_version": null, + "id": "adv:GHSA-73rr-hh4g-fpgx", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-h67p-54hq-rp68", + "fix_version": null, + "id": "adv:GHSA-h67p-54hq-rp68", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-mh29-5h37-fv8m", + "fix_version": null, + "id": "adv:GHSA-mh29-5h37-fv8m", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-23c5-xmqv-rm74", + "fix_version": null, + "id": "adv:GHSA-23c5-xmqv-rm74", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-3ppc-4f35-3m26", + "fix_version": null, + "id": "adv:GHSA-3ppc-4f35-3m26", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-7r86-cg39-jmmj", + "fix_version": null, + "id": "adv:GHSA-7r86-cg39-jmmj", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-f8q6-p94x-37v3", + "fix_version": null, + "id": "adv:GHSA-f8q6-p94x-37v3", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "fix_version": null, + "id": "adv:GHSA-vh95-rmgr-6w4m", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-xvch-5gv4-984h", + "fix_version": null, + "id": "adv:GHSA-xvch-5gv4-984h", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-hj48-42vr-x3v9", + "fix_version": null, + "id": "adv:GHSA-hj48-42vr-x3v9", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-c2qf-rxjj-qqgw", + "fix_version": null, + "id": "adv:GHSA-c2qf-rxjj-qqgw", + "severity": "unknown", + "type": "advisory" + } + ] + }, + "installed_version": "1.1.11", + "operator_next_steps": [ + "Bump the listed direct_dependency_to_bump to a version that resolves the advisory.", + "Regenerate the lockfile and re-run this skill against the updated lockfile.", + "Attach the OSV evidence URL, fix path, and runx receipt to the dependency review record." + ], + "package": "brace-expansion", + "project": { + "lockfile_path": null, + "lockfile_source": "https://raw.githubusercontent.com/eclipse-theia/security-audit/master/package-lock.json", + "lockfile_url": "https://raw.githubusercontent.com/eclipse-theia/security-audit/master/package-lock.json", + "name": "eclipse-theia/security-audit", + "url": "https://github.com/eclipse-theia/security-audit" + }, + "retrieved_at": "2026-06-24T00:25:58.356Z", + "schema": "runx.dependency_advisory_graph.v2", + "severity": "unknown", + "validation": { + "advisory_source_mode": "live_osv_querybatch", + "direct_dependency_fix_paths_count": 13, + "exact_version_match": true, + "no_package_name_only_false_positives": true, + "osv_runtime_query_performed": true, + "package_name_only_guard_count": 32, + "target_code_executed": true, + "target_code_execution_note": "The scanner executed against and parsed the target project's dependency lockfile; it did not run application code.", + "target_lockfile_ingested": true, + "target_packages_installed": false + } + } + }, + "payload": { + "advisory_id": "GHSA-f886-m6hf-6m8v", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "clean_packages": [ + { + "confidence": "high", + "dependency_path": [ + "tslint", + "@babel/code-frame" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "7.5.5", + "package": "@babel/code-frame", + "path": "@babel/code-frame" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "@babel/highlight" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "7.5.0", + "package": "@babel/highlight", + "path": "@babel/highlight" + }, + { + "confidence": "high", + "dependency_path": [ + "@types/node" + ], + "direct": true, + "direct_dependency_to_bump": "@types/node", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "12.11.1", + "package": "@types/node", + "path": "@types/node" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "ansi-styles" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "3.2.1", + "package": "ansi-styles", + "path": "ansi-styles" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "argparse" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.10", + "package": "argparse", + "path": "argparse" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "balanced-match" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.0", + "package": "balanced-match", + "path": "balanced-match" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "builtin-modules" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.1.1", + "package": "builtin-modules", + "path": "builtin-modules" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "chalk" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.4.2", + "package": "chalk", + "path": "chalk" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "color-convert" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.9.3", + "package": "color-convert", + "path": "color-convert" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "color-name" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.1.3", + "package": "color-name", + "path": "color-name" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "commander" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.20.3", + "package": "commander", + "path": "commander" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "concat-map" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "0.0.1", + "package": "concat-map", + "path": "concat-map" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "escape-string-regexp" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.5", + "package": "escape-string-regexp", + "path": "escape-string-regexp" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "esprima" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "4.0.1", + "package": "esprima", + "path": "esprima" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "esutils" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.0.3", + "package": "esutils", + "path": "esutils" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "fs.realpath" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.0", + "package": "fs.realpath", + "path": "fs.realpath" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "glob" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "7.1.4", + "package": "glob", + "path": "glob" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "has-flag" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "3.0.0", + "package": "has-flag", + "path": "has-flag" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "inflight" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.6", + "package": "inflight", + "path": "inflight" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "inherits" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.0.4", + "package": "inherits", + "path": "inherits" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "js-tokens" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "4.0.0", + "package": "js-tokens", + "path": "js-tokens" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "mkdirp" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "0.5.1", + "package": "mkdirp", + "path": "mkdirp" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "once" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.4.0", + "package": "once", + "path": "once" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "path-is-absolute" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.1", + "package": "path-is-absolute", + "path": "path-is-absolute" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "resolve" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.12.0", + "package": "resolve", + "path": "resolve" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "sprintf-js" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.3", + "package": "sprintf-js", + "path": "sprintf-js" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "supports-color" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "5.5.0", + "package": "supports-color", + "path": "supports-color" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "tslib" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.10.0", + "package": "tslib", + "path": "tslib" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint" + ], + "direct": true, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "5.20.0", + "package": "tslint", + "path": "tslint" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "tsutils" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "2.29.0", + "package": "tsutils", + "path": "tsutils" + }, + { + "confidence": "high", + "dependency_path": [ + "typescript" + ], + "direct": true, + "direct_dependency_to_bump": "typescript", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "3.6.4", + "package": "typescript", + "path": "typescript" + }, + { + "confidence": "high", + "dependency_path": [ + "tslint", + "wrappy" + ], + "direct": false, + "direct_dependency_to_bump": "tslint", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + "installed_version": "1.0.2", + "package": "wrappy", + "path": "wrappy" + } + ], + "confidence": "high", + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v", + "exact_version_match": true, + "false_positive_guards": [ + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "7.5.5", + "package": "@babel/code-frame" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "7.5.0", + "package": "@babel/highlight" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "12.11.1", + "package": "@types/node" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "3.2.1", + "package": "ansi-styles" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.10", + "package": "argparse" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.0", + "package": "balanced-match" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.1.1", + "package": "builtin-modules" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.4.2", + "package": "chalk" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.9.3", + "package": "color-convert" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.1.3", + "package": "color-name" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.20.3", + "package": "commander" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "0.0.1", + "package": "concat-map" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.5", + "package": "escape-string-regexp" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "4.0.1", + "package": "esprima" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.0.3", + "package": "esutils" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.0", + "package": "fs.realpath" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "7.1.4", + "package": "glob" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "3.0.0", + "package": "has-flag" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.6", + "package": "inflight" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.0.4", + "package": "inherits" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "4.0.0", + "package": "js-tokens" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "0.5.1", + "package": "mkdirp" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.4.0", + "package": "once" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.1", + "package": "path-is-absolute" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.12.0", + "package": "resolve" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.3", + "package": "sprintf-js" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "5.5.0", + "package": "supports-color" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.10.0", + "package": "tslib" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "5.20.0", + "package": "tslint" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "2.29.0", + "package": "tsutils" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "3.6.4", + "package": "typescript" + }, + { + "guard": "OSV returned no vulnerability for this exact package and installed version.", + "installed_version": "1.0.2", + "package": "wrappy" + } + ], + "findings": [ + { + "advisory_id": "GHSA-f886-m6hf-6m8v", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "brace-expansion" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-f886-m6hf-6m8v.", + "fix_version": null, + "installed_version": "1.1.11", + "package": "brace-expansion", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-v6h2-p8h4-qcjw", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "brace-expansion" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-v6h2-p8h4-qcjw", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-v6h2-p8h4-qcjw.", + "fix_version": null, + "installed_version": "1.1.11", + "package": "brace-expansion", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-73rr-hh4g-fpgx", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "diff" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-73rr-hh4g-fpgx", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-73rr-hh4g-fpgx.", + "fix_version": null, + "installed_version": "4.0.1", + "package": "diff", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-h67p-54hq-rp68", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "js-yaml" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-h67p-54hq-rp68", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-h67p-54hq-rp68.", + "fix_version": null, + "installed_version": "3.13.1", + "package": "js-yaml", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-mh29-5h37-fv8m", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "js-yaml" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-mh29-5h37-fv8m", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-mh29-5h37-fv8m.", + "fix_version": null, + "installed_version": "3.13.1", + "package": "js-yaml", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-23c5-xmqv-rm74", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-23c5-xmqv-rm74", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-23c5-xmqv-rm74.", + "fix_version": null, + "installed_version": "3.0.4", + "package": "minimatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-3ppc-4f35-3m26", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-3ppc-4f35-3m26", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-3ppc-4f35-3m26.", + "fix_version": null, + "installed_version": "3.0.4", + "package": "minimatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-7r86-cg39-jmmj", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-7r86-cg39-jmmj", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-7r86-cg39-jmmj.", + "fix_version": null, + "installed_version": "3.0.4", + "package": "minimatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-f8q6-p94x-37v3", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f8q6-p94x-37v3", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-f8q6-p94x-37v3.", + "fix_version": null, + "installed_version": "3.0.4", + "package": "minimatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimist" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-vh95-rmgr-6w4m.", + "fix_version": null, + "installed_version": "0.0.8", + "package": "minimist", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-xvch-5gv4-984h", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "minimist" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-xvch-5gv4-984h", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-xvch-5gv4-984h.", + "fix_version": null, + "installed_version": "0.0.8", + "package": "minimist", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-hj48-42vr-x3v9", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "path-parse" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-hj48-42vr-x3v9", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-hj48-42vr-x3v9.", + "fix_version": null, + "installed_version": "1.0.6", + "package": "path-parse", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + }, + { + "advisory_id": "GHSA-c2qf-rxjj-qqgw", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "aliases": [], + "confidence": "high", + "dependency_path": [ + "tslint", + "semver" + ], + "direct_dependency_to_bump": "tslint", + "ecosystem": "npm", + "evidence_url": "https://osv.dev/vulnerability/GHSA-c2qf-rxjj-qqgw", + "exact_version_match": true, + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version.", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-c2qf-rxjj-qqgw.", + "fix_version": null, + "installed_version": "5.7.1", + "package": "semver", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown" + } + ], + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-f886-m6hf-6m8v.", + "fix_version": null, + "graph": { + "edges": [ + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v", + "from": "pkg:npm/brace-expansion@1.1.11", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-f886-m6hf-6m8v" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-v6h2-p8h4-qcjw", + "from": "pkg:npm/brace-expansion@1.1.11", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-v6h2-p8h4-qcjw" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-73rr-hh4g-fpgx", + "from": "pkg:npm/diff@4.0.1", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-73rr-hh4g-fpgx" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-h67p-54hq-rp68", + "from": "pkg:npm/js-yaml@3.13.1", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-h67p-54hq-rp68" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-mh29-5h37-fv8m", + "from": "pkg:npm/js-yaml@3.13.1", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-mh29-5h37-fv8m" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-23c5-xmqv-rm74", + "from": "pkg:npm/minimatch@3.0.4", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-23c5-xmqv-rm74" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-3ppc-4f35-3m26", + "from": "pkg:npm/minimatch@3.0.4", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-3ppc-4f35-3m26" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-7r86-cg39-jmmj", + "from": "pkg:npm/minimatch@3.0.4", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-7r86-cg39-jmmj" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f8q6-p94x-37v3", + "from": "pkg:npm/minimatch@3.0.4", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-f8q6-p94x-37v3" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "from": "pkg:npm/minimist@0.0.8", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-vh95-rmgr-6w4m" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-xvch-5gv4-984h", + "from": "pkg:npm/minimist@0.0.8", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-xvch-5gv4-984h" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-hj48-42vr-x3v9", + "from": "pkg:npm/path-parse@1.0.6", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-hj48-42vr-x3v9" + }, + { + "direct_dependency_to_bump": "tslint", + "evidence_url": "https://osv.dev/vulnerability/GHSA-c2qf-rxjj-qqgw", + "from": "pkg:npm/semver@5.7.1", + "relationship": "osv_exact_version_matches_advisory", + "to": "adv:GHSA-c2qf-rxjj-qqgw" + } + ], + "nodes": [ + { + "dependency_path": [ + "tslint", + "@babel/code-frame" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/@babel/code-frame@7.5.5", + "installed_version": "7.5.5", + "package": "@babel/code-frame", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "@babel/highlight" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/@babel/highlight@7.5.0", + "installed_version": "7.5.0", + "package": "@babel/highlight", + "type": "dependency" + }, + { + "dependency_path": [ + "@types/node" + ], + "direct_dependency_to_bump": "@types/node", + "id": "pkg:npm/@types/node@12.11.1", + "installed_version": "12.11.1", + "package": "@types/node", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "ansi-styles" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/ansi-styles@3.2.1", + "installed_version": "3.2.1", + "package": "ansi-styles", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "argparse" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/argparse@1.0.10", + "installed_version": "1.0.10", + "package": "argparse", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "balanced-match" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/balanced-match@1.0.0", + "installed_version": "1.0.0", + "package": "balanced-match", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "brace-expansion" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/brace-expansion@1.1.11", + "installed_version": "1.1.11", + "package": "brace-expansion", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "builtin-modules" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/builtin-modules@1.1.1", + "installed_version": "1.1.1", + "package": "builtin-modules", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "chalk" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/chalk@2.4.2", + "installed_version": "2.4.2", + "package": "chalk", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "color-convert" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/color-convert@1.9.3", + "installed_version": "1.9.3", + "package": "color-convert", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "color-name" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/color-name@1.1.3", + "installed_version": "1.1.3", + "package": "color-name", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "commander" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/commander@2.20.3", + "installed_version": "2.20.3", + "package": "commander", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "concat-map" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/concat-map@0.0.1", + "installed_version": "0.0.1", + "package": "concat-map", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "diff" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/diff@4.0.1", + "installed_version": "4.0.1", + "package": "diff", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "escape-string-regexp" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/escape-string-regexp@1.0.5", + "installed_version": "1.0.5", + "package": "escape-string-regexp", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "esprima" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/esprima@4.0.1", + "installed_version": "4.0.1", + "package": "esprima", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "esutils" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/esutils@2.0.3", + "installed_version": "2.0.3", + "package": "esutils", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "fs.realpath" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/fs.realpath@1.0.0", + "installed_version": "1.0.0", + "package": "fs.realpath", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "glob" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/glob@7.1.4", + "installed_version": "7.1.4", + "package": "glob", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "has-flag" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/has-flag@3.0.0", + "installed_version": "3.0.0", + "package": "has-flag", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "inflight" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/inflight@1.0.6", + "installed_version": "1.0.6", + "package": "inflight", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "inherits" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/inherits@2.0.4", + "installed_version": "2.0.4", + "package": "inherits", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "js-tokens" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/js-tokens@4.0.0", + "installed_version": "4.0.0", + "package": "js-tokens", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "js-yaml" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/js-yaml@3.13.1", + "installed_version": "3.13.1", + "package": "js-yaml", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/minimatch@3.0.4", + "installed_version": "3.0.4", + "package": "minimatch", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "minimist" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/minimist@0.0.8", + "installed_version": "0.0.8", + "package": "minimist", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "mkdirp" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/mkdirp@0.5.1", + "installed_version": "0.5.1", + "package": "mkdirp", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "once" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/once@1.4.0", + "installed_version": "1.4.0", + "package": "once", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "path-is-absolute" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/path-is-absolute@1.0.1", + "installed_version": "1.0.1", + "package": "path-is-absolute", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "path-parse" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/path-parse@1.0.6", + "installed_version": "1.0.6", + "package": "path-parse", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "resolve" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/resolve@1.12.0", + "installed_version": "1.12.0", + "package": "resolve", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "semver" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/semver@5.7.1", + "installed_version": "5.7.1", + "package": "semver", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "sprintf-js" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/sprintf-js@1.0.3", + "installed_version": "1.0.3", + "package": "sprintf-js", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "supports-color" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/supports-color@5.5.0", + "installed_version": "5.5.0", + "package": "supports-color", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "tslib" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/tslib@1.10.0", + "installed_version": "1.10.0", + "package": "tslib", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/tslint@5.20.0", + "installed_version": "5.20.0", + "package": "tslint", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "tsutils" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/tsutils@2.29.0", + "installed_version": "2.29.0", + "package": "tsutils", + "type": "dependency" + }, + { + "dependency_path": [ + "typescript" + ], + "direct_dependency_to_bump": "typescript", + "id": "pkg:npm/typescript@3.6.4", + "installed_version": "3.6.4", + "package": "typescript", + "type": "dependency" + }, + { + "dependency_path": [ + "tslint", + "wrappy" + ], + "direct_dependency_to_bump": "tslint", + "id": "pkg:npm/wrappy@1.0.2", + "installed_version": "1.0.2", + "package": "wrappy", + "type": "dependency" + }, + { + "advisory_id": "GHSA-f886-m6hf-6m8v", + "fix_version": null, + "id": "adv:GHSA-f886-m6hf-6m8v", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-v6h2-p8h4-qcjw", + "fix_version": null, + "id": "adv:GHSA-v6h2-p8h4-qcjw", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-73rr-hh4g-fpgx", + "fix_version": null, + "id": "adv:GHSA-73rr-hh4g-fpgx", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-h67p-54hq-rp68", + "fix_version": null, + "id": "adv:GHSA-h67p-54hq-rp68", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-mh29-5h37-fv8m", + "fix_version": null, + "id": "adv:GHSA-mh29-5h37-fv8m", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-23c5-xmqv-rm74", + "fix_version": null, + "id": "adv:GHSA-23c5-xmqv-rm74", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-3ppc-4f35-3m26", + "fix_version": null, + "id": "adv:GHSA-3ppc-4f35-3m26", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-7r86-cg39-jmmj", + "fix_version": null, + "id": "adv:GHSA-7r86-cg39-jmmj", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-f8q6-p94x-37v3", + "fix_version": null, + "id": "adv:GHSA-f8q6-p94x-37v3", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "fix_version": null, + "id": "adv:GHSA-vh95-rmgr-6w4m", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-xvch-5gv4-984h", + "fix_version": null, + "id": "adv:GHSA-xvch-5gv4-984h", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-hj48-42vr-x3v9", + "fix_version": null, + "id": "adv:GHSA-hj48-42vr-x3v9", + "severity": "unknown", + "type": "advisory" + }, + { + "advisory_id": "GHSA-c2qf-rxjj-qqgw", + "fix_version": null, + "id": "adv:GHSA-c2qf-rxjj-qqgw", + "severity": "unknown", + "type": "advisory" + } + ] + }, + "installed_version": "1.1.11", + "operator_next_steps": [ + "Bump the listed direct_dependency_to_bump to a version that resolves the advisory.", + "Regenerate the lockfile and re-run this skill against the updated lockfile.", + "Attach the OSV evidence URL, fix path, and runx receipt to the dependency review record." + ], + "package": "brace-expansion", + "project": { + "lockfile_path": null, + "lockfile_source": "https://raw.githubusercontent.com/eclipse-theia/security-audit/master/package-lock.json", + "lockfile_url": "https://raw.githubusercontent.com/eclipse-theia/security-audit/master/package-lock.json", + "name": "eclipse-theia/security-audit", + "url": "https://github.com/eclipse-theia/security-audit" + }, + "retrieved_at": "2026-06-24T00:25:58.356Z", + "schema": "runx.dependency_advisory_graph.v2", + "severity": "unknown", + "validation": { + "advisory_source_mode": "live_osv_querybatch", + "direct_dependency_fix_paths_count": 13, + "exact_version_match": true, + "no_package_name_only_false_positives": true, + "osv_runtime_query_performed": true, + "package_name_only_guard_count": 32, + "target_code_executed": true, + "target_code_execution_note": "The scanner executed against and parsed the target project's dependency lockfile; it did not run application code.", + "target_lockfile_ingested": true, + "target_packages_installed": false + } + }, + "receipt": { + "acts": [ + { + "artifact_refs": [], + "closure": { + "closed_at": "2026-06-24T00:25:58.380Z", + "disposition": "closed", + "reason_code": "process_exit", + "summary": "cli-tool exited successfully" + }, + "criterion_bindings": [ + { + "criterion_id": "process_exit", + "evidence_refs": [], + "status": "verified", + "summary": "cli-tool exited successfully", + "verification_refs": [] + } + ], + "form": "observation", + "id": "act_default", + "intent": { + "constraints": [], + "derived_from": [], + "legitimacy": "Runtime graph execution was admitted by the local harness", + "purpose": "Run graph step default", + "success_criteria": [ + { + "criterion_id": "process_exit", + "required": true, + "statement": "cli-tool exits successfully" + } + ] + }, + "source_refs": [], + "summary": "Executed graph step default", + "target_refs": [] + } + ], + "authority": { + "actor_ref": { + "type": "principal", + "uri": "runx:principal:local_runtime" + }, + "attenuation": { + "parent_authority_ref": null, + "subset_proof": null + }, + "authority_proof_refs": [], + "enforcement": { + "profile_hash": "sha256:runtime-skeleton-enforcement", + "redaction_refs": [], + "setup_refs": [], + "teardown_refs": [] + }, + "grant_refs": [], + "scope_refs": [], + "terms": [] + }, + "canonicalization": "runx.receipt.c14n.v1", + "created_at": "2026-06-24T00:25:58.380Z", + "decisions": [ + { + "artifact_refs": [], + "choice": "open", + "closure": null, + "decision_id": "dec_default", + "inputs": { + "opportunity_refs": [], + "selection_ref": null, + "signal_refs": [], + "target_ref": null + }, + "justification": { + "evidence_refs": [], + "summary": "runtime graph planner selected this node" + }, + "proposed_intent": { + "constraints": [], + "derived_from": [], + "legitimacy": "Local graph execution requested this node", + "purpose": "Open runtime node default", + "success_criteria": [] + }, + "selected_act_id": "act_default", + "selected_harness_ref": null + } + ], + "digest": "sha256:d882e2894a3911c31837fa6bc59c789b45d73824fb48b560e73e930e6248167e", + "id": "sha256:93bd267651956cba928f676538aee8f3e298af325b317c8a498c10a80c459e94", + "idempotency": { + "content_hash": "sha256:run_default_c06017eccfc4-default-content", + "intent_key": "sha256:run_default_c06017eccfc4-default-intent", + "trigger_fingerprint": "sha256:run_default_c06017eccfc4-default-trigger" + }, + "issuer": { + "kid": "dependency-advisory-graph-local-key-v2c", + "public_key_sha256": "sha256:65b60673d6ed884bf01c2c222d82ada0740f29ac3355d6a925c81f17f47a27b8", + "type": "hosted" + }, + "lineage": { + "children": [], + "sync": [] + }, + "schema": "runx.receipt.v1", + "seal": { + "closed_at": "2026-06-24T00:25:58.380Z", + "criteria": [ + { + "criterion_id": "process_exit", + "evidence_refs": [], + "status": "verified", + "summary": "cli-tool exited successfully", + "verification_refs": [] + } + ], + "disposition": "closed", + "last_observed_at": "2026-06-24T00:25:58.380Z", + "reason_code": "process_closed", + "summary": "cli-tool default completed" + }, + "signals": [], + "signature": { + "alg": "Ed25519", + "value": "base64:BJj7YeRXccVXoElh6DBgZV3WTRq-Siqtm0wIj9AkSiLAVmSK-GEBPyKOC0OQlts9N8A3MTpnB-Vlvva_MT_eDw" + }, + "subject": { + "commitments": [], + "kind": "skill", + "ref": { + "type": "harness", + "uri": "hrn_run_default_c06017eccfc4_default" + } + } + }, + "receipt_id": "sha256:93bd267651956cba928f676538aee8f3e298af325b317c8a498c10a80c459e94", + "run_id": "run_default_c06017eccfc4", + "schema": "runx.skill_run.v1", + "skill_name": "dependency-advisory-graph", + "status": "sealed" +} diff --git a/skills/dependency-advisory-graph/artifacts/dogfood-live-theia-runx-v2c-verify.json b/skills/dependency-advisory-graph/artifacts/dogfood-live-theia-runx-v2c-verify.json new file mode 100644 index 00000000..f530b9c1 --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/dogfood-live-theia-runx-v2c-verify.json @@ -0,0 +1,15 @@ +{ + "receipt_dir": "F:\\work\\ai_work\\get_money\\third_party\\runx\\.runx-linux-receipts\\dependency-advisory-graph-live-v2c", + "signature_mode": "production", + "trees": [ + { + "root_receipt_id": "sha256:93bd267651956cba928f676538aee8f3e298af325b317c8a498c10a80c459e94", + "receipt_count": 1, + "parent_missing": null, + "valid": true, + "findings": [] + } + ], + "unreadable_files": [], + "valid": true +} diff --git a/skills/dependency-advisory-graph/artifacts/harness-v2d-linux-output.json b/skills/dependency-advisory-graph/artifacts/harness-v2d-linux-output.json new file mode 100644 index 00000000..9cdf3ec6 --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/harness-v2d-linux-output.json @@ -0,0 +1,542 @@ +[ + { + "acts": [ + { + "artifact_refs": [], + "closure": { + "closed_at": "2026-05-18T00:00:00Z", + "disposition": "closed", + "reason_code": "process_exit", + "summary": "cli-tool exited successfully" + }, + "criterion_bindings": [ + { + "criterion_id": "process_exit", + "evidence_refs": [], + "status": "verified", + "summary": "cli-tool exited successfully", + "verification_refs": [] + } + ], + "form": "observation", + "id": "act_default", + "intent": { + "constraints": [], + "derived_from": [], + "legitimacy": "Runtime graph execution was admitted by the local harness", + "purpose": "Run graph step default", + "success_criteria": [ + { + "criterion_id": "process_exit", + "required": true, + "statement": "cli-tool exits successfully" + } + ] + }, + "source_refs": [], + "summary": "Executed graph step default", + "target_refs": [] + } + ], + "authority": { + "actor_ref": { + "type": "principal", + "uri": "runx:principal:local_runtime" + }, + "attenuation": { + "parent_authority_ref": null, + "subset_proof": null + }, + "authority_proof_refs": [], + "enforcement": { + "profile_hash": "sha256:runtime-skeleton-enforcement", + "redaction_refs": [], + "setup_refs": [], + "teardown_refs": [] + }, + "grant_refs": [], + "scope_refs": [], + "terms": [] + }, + "canonicalization": "runx.receipt.c14n.v1", + "created_at": "2026-05-18T00:00:00Z", + "decisions": [ + { + "artifact_refs": [], + "choice": "open", + "closure": null, + "decision_id": "dec_default", + "inputs": { + "opportunity_refs": [], + "selection_ref": null, + "signal_refs": [], + "target_ref": null + }, + "justification": { + "evidence_refs": [], + "summary": "runtime graph planner selected this node" + }, + "proposed_intent": { + "constraints": [], + "derived_from": [], + "legitimacy": "Local graph execution requested this node", + "purpose": "Open runtime node default", + "success_criteria": [] + }, + "selected_act_id": "act_default", + "selected_harness_ref": null + } + ], + "digest": "sha256:6f3308f95197046d7d2a0d57af2ddc5771ebe390ac17170cc30f1f472e207368", + "id": "sha256:e1b46700b81862e28d24693fabb80953a66318903e64c42ec6703406c9dd2c25", + "idempotency": { + "content_hash": "sha256:clean-manifest-no-finding-default-content", + "intent_key": "sha256:clean-manifest-no-finding-default-intent", + "trigger_fingerprint": "sha256:clean-manifest-no-finding-default-trigger" + }, + "issuer": { + "kid": "dependency-advisory-graph-local-key-v2d", + "public_key_sha256": "sha256:65b60673d6ed884bf01c2c222d82ada0740f29ac3355d6a925c81f17f47a27b8", + "type": "hosted" + }, + "lineage": { + "children": [], + "sync": [] + }, + "schema": "runx.receipt.v1", + "seal": { + "closed_at": "2026-05-18T00:00:00Z", + "criteria": [ + { + "criterion_id": "process_exit", + "evidence_refs": [], + "status": "verified", + "summary": "cli-tool exited successfully", + "verification_refs": [] + } + ], + "disposition": "closed", + "last_observed_at": "2026-05-18T00:00:00Z", + "reason_code": "process_closed", + "summary": "step default completed" + }, + "signals": [], + "signature": { + "alg": "Ed25519", + "value": "base64:-dGWQoORxmzaECeylAb4T1dudIvz6uyOCCzmFNCrbaMrQI1ws15IyzBp63rtq43FeUGh137eZiWzZge-c4ySDQ" + }, + "subject": { + "commitments": [], + "kind": "skill", + "ref": { + "type": "harness", + "uri": "hrn_clean-manifest-no-finding_default" + } + } + }, + { + "acts": [ + { + "artifact_refs": [], + "closure": { + "closed_at": "2026-05-18T00:00:00Z", + "disposition": "failed", + "reason_code": "process_exit", + "summary": "npm package-lock must include packages or dependencies\n" + }, + "criterion_bindings": [ + { + "criterion_id": "process_exit", + "evidence_refs": [], + "status": "failed", + "summary": "npm package-lock must include packages or dependencies\n", + "verification_refs": [] + } + ], + "form": "observation", + "id": "act_default", + "intent": { + "constraints": [], + "derived_from": [], + "legitimacy": "Runtime graph execution was admitted by the local harness", + "purpose": "Run graph step default", + "success_criteria": [ + { + "criterion_id": "process_exit", + "required": true, + "statement": "cli-tool exits successfully" + } + ] + }, + "source_refs": [], + "summary": "Executed graph step default", + "target_refs": [] + } + ], + "authority": { + "actor_ref": { + "type": "principal", + "uri": "runx:principal:local_runtime" + }, + "attenuation": { + "parent_authority_ref": null, + "subset_proof": null + }, + "authority_proof_refs": [], + "enforcement": { + "profile_hash": "sha256:runtime-skeleton-enforcement", + "redaction_refs": [], + "setup_refs": [], + "teardown_refs": [] + }, + "grant_refs": [], + "scope_refs": [], + "terms": [] + }, + "canonicalization": "runx.receipt.c14n.v1", + "created_at": "2026-05-18T00:00:00Z", + "decisions": [ + { + "artifact_refs": [], + "choice": "open", + "closure": null, + "decision_id": "dec_default", + "inputs": { + "opportunity_refs": [], + "selection_ref": null, + "signal_refs": [], + "target_ref": null + }, + "justification": { + "evidence_refs": [], + "summary": "runtime graph planner selected this node" + }, + "proposed_intent": { + "constraints": [], + "derived_from": [], + "legitimacy": "Local graph execution requested this node", + "purpose": "Open runtime node default", + "success_criteria": [] + }, + "selected_act_id": "act_default", + "selected_harness_ref": null + } + ], + "digest": "sha256:7f702142ef6eec53c779de4cd4cc9b3a56ec058701a81f823c6d836307b659fc", + "id": "sha256:fd53f882648d3ae1a6062f500b03fd975a0f1832e32e5a8f636ae646705e6deb", + "idempotency": { + "content_hash": "sha256:invalid-manifest-fails-default-content", + "intent_key": "sha256:invalid-manifest-fails-default-intent", + "trigger_fingerprint": "sha256:invalid-manifest-fails-default-trigger" + }, + "issuer": { + "kid": "dependency-advisory-graph-local-key-v2d", + "public_key_sha256": "sha256:65b60673d6ed884bf01c2c222d82ada0740f29ac3355d6a925c81f17f47a27b8", + "type": "hosted" + }, + "lineage": { + "children": [], + "sync": [] + }, + "schema": "runx.receipt.v1", + "seal": { + "closed_at": "2026-05-18T00:00:00Z", + "criteria": [ + { + "criterion_id": "process_exit", + "evidence_refs": [], + "status": "failed", + "summary": "npm package-lock must include packages or dependencies\n", + "verification_refs": [] + } + ], + "disposition": "failed", + "last_observed_at": "2026-05-18T00:00:00Z", + "reason_code": "process_failed", + "summary": "step default completed" + }, + "signals": [], + "signature": { + "alg": "Ed25519", + "value": "base64:9lxLAxvWOZPl3GaU0LDhPM3Q9L4xtymzHlLe_78XRFYDzxYO7vJq83OdDqjOV__1J2DjS2yEph1NmWDDyTZeCA" + }, + "subject": { + "commitments": [], + "kind": "skill", + "ref": { + "type": "harness", + "uri": "hrn_invalid-manifest-fails_default" + } + } + }, + { + "acts": [ + { + "artifact_refs": [], + "closure": { + "closed_at": "2026-05-18T00:00:00Z", + "disposition": "closed", + "reason_code": "process_exit", + "summary": "cli-tool exited successfully" + }, + "criterion_bindings": [ + { + "criterion_id": "process_exit", + "evidence_refs": [], + "status": "verified", + "summary": "cli-tool exited successfully", + "verification_refs": [] + } + ], + "form": "observation", + "id": "act_default", + "intent": { + "constraints": [], + "derived_from": [], + "legitimacy": "Runtime graph execution was admitted by the local harness", + "purpose": "Run graph step default", + "success_criteria": [ + { + "criterion_id": "process_exit", + "required": true, + "statement": "cli-tool exits successfully" + } + ] + }, + "source_refs": [], + "summary": "Executed graph step default", + "target_refs": [] + } + ], + "authority": { + "actor_ref": { + "type": "principal", + "uri": "runx:principal:local_runtime" + }, + "attenuation": { + "parent_authority_ref": null, + "subset_proof": null + }, + "authority_proof_refs": [], + "enforcement": { + "profile_hash": "sha256:runtime-skeleton-enforcement", + "redaction_refs": [], + "setup_refs": [], + "teardown_refs": [] + }, + "grant_refs": [], + "scope_refs": [], + "terms": [] + }, + "canonicalization": "runx.receipt.c14n.v1", + "created_at": "2026-05-18T00:00:00Z", + "decisions": [ + { + "artifact_refs": [], + "choice": "open", + "closure": null, + "decision_id": "dec_default", + "inputs": { + "opportunity_refs": [], + "selection_ref": null, + "signal_refs": [], + "target_ref": null + }, + "justification": { + "evidence_refs": [], + "summary": "runtime graph planner selected this node" + }, + "proposed_intent": { + "constraints": [], + "derived_from": [], + "legitimacy": "Local graph execution requested this node", + "purpose": "Open runtime node default", + "success_criteria": [] + }, + "selected_act_id": "act_default", + "selected_harness_ref": null + } + ], + "digest": "sha256:04c3d1623a73d0f88ec9814cd2e5e060f45782c44dc32e8176e908f8543e6627", + "id": "sha256:f5656ef51f825864be77ce93b8c5f85001c7b8a3fde0e0caeab9acd0c7762e8f", + "idempotency": { + "content_hash": "sha256:sealed-advisory-minimist-008-default-content", + "intent_key": "sha256:sealed-advisory-minimist-008-default-intent", + "trigger_fingerprint": "sha256:sealed-advisory-minimist-008-default-trigger" + }, + "issuer": { + "kid": "dependency-advisory-graph-local-key-v2d", + "public_key_sha256": "sha256:65b60673d6ed884bf01c2c222d82ada0740f29ac3355d6a925c81f17f47a27b8", + "type": "hosted" + }, + "lineage": { + "children": [], + "sync": [] + }, + "schema": "runx.receipt.v1", + "seal": { + "closed_at": "2026-05-18T00:00:00Z", + "criteria": [ + { + "criterion_id": "process_exit", + "evidence_refs": [], + "status": "verified", + "summary": "cli-tool exited successfully", + "verification_refs": [] + } + ], + "disposition": "closed", + "last_observed_at": "2026-05-18T00:00:00Z", + "reason_code": "process_closed", + "summary": "step default completed" + }, + "signals": [], + "signature": { + "alg": "Ed25519", + "value": "base64:P7qJrrEvUuvs6Kble_q59cQVgpyhvIMrzbaUoXrTHgrVpjTBRMdt3Dz1S3VC41y-G5lcOZYZMtp8xS5R2rGbDg" + }, + "subject": { + "commitments": [], + "kind": "skill", + "ref": { + "type": "harness", + "uri": "hrn_sealed-advisory-minimist-008_default" + } + } + }, + { + "acts": [ + { + "artifact_refs": [], + "closure": { + "closed_at": "2026-05-18T00:00:00Z", + "disposition": "closed", + "reason_code": "process_exit", + "summary": "cli-tool exited successfully" + }, + "criterion_bindings": [ + { + "criterion_id": "process_exit", + "evidence_refs": [], + "status": "verified", + "summary": "cli-tool exited successfully", + "verification_refs": [] + } + ], + "form": "observation", + "id": "act_default", + "intent": { + "constraints": [], + "derived_from": [], + "legitimacy": "Runtime graph execution was admitted by the local harness", + "purpose": "Run graph step default", + "success_criteria": [ + { + "criterion_id": "process_exit", + "required": true, + "statement": "cli-tool exits successfully" + } + ] + }, + "source_refs": [], + "summary": "Executed graph step default", + "target_refs": [] + } + ], + "authority": { + "actor_ref": { + "type": "principal", + "uri": "runx:principal:local_runtime" + }, + "attenuation": { + "parent_authority_ref": null, + "subset_proof": null + }, + "authority_proof_refs": [], + "enforcement": { + "profile_hash": "sha256:runtime-skeleton-enforcement", + "redaction_refs": [], + "setup_refs": [], + "teardown_refs": [] + }, + "grant_refs": [], + "scope_refs": [], + "terms": [] + }, + "canonicalization": "runx.receipt.c14n.v1", + "created_at": "2026-05-18T00:00:00Z", + "decisions": [ + { + "artifact_refs": [], + "choice": "open", + "closure": null, + "decision_id": "dec_default", + "inputs": { + "opportunity_refs": [], + "selection_ref": null, + "signal_refs": [], + "target_ref": null + }, + "justification": { + "evidence_refs": [], + "summary": "runtime graph planner selected this node" + }, + "proposed_intent": { + "constraints": [], + "derived_from": [], + "legitimacy": "Local graph execution requested this node", + "purpose": "Open runtime node default", + "success_criteria": [] + }, + "selected_act_id": "act_default", + "selected_harness_ref": null + } + ], + "digest": "sha256:c176eaa67134766d9c83929b2d7be1a1d4c25379e28b68761674eaef616e996f", + "id": "sha256:fd3b31f089f2f32f48a59aaaa7730acc74a1622ca969a81b81d87d2fe5325a9e", + "idempotency": { + "content_hash": "sha256:transitive-advisory-direct-owner-default-content", + "intent_key": "sha256:transitive-advisory-direct-owner-default-intent", + "trigger_fingerprint": "sha256:transitive-advisory-direct-owner-default-trigger" + }, + "issuer": { + "kid": "dependency-advisory-graph-local-key-v2d", + "public_key_sha256": "sha256:65b60673d6ed884bf01c2c222d82ada0740f29ac3355d6a925c81f17f47a27b8", + "type": "hosted" + }, + "lineage": { + "children": [], + "sync": [] + }, + "schema": "runx.receipt.v1", + "seal": { + "closed_at": "2026-05-18T00:00:00Z", + "criteria": [ + { + "criterion_id": "process_exit", + "evidence_refs": [], + "status": "verified", + "summary": "cli-tool exited successfully", + "verification_refs": [] + } + ], + "disposition": "closed", + "last_observed_at": "2026-05-18T00:00:00Z", + "reason_code": "process_closed", + "summary": "step default completed" + }, + "signals": [], + "signature": { + "alg": "Ed25519", + "value": "base64:_6Bv718jJVVTr7qtbzDvUBrlWLdFjZusgEzfCOQNEwCeJNt-YY5k0eg5wVly4M20mE8Sx2FOgu-zSAScFmtjDA" + }, + "subject": { + "commitments": [], + "kind": "skill", + "ref": { + "type": "harness", + "uri": "hrn_transitive-advisory-direct-owner_default" + } + } + } +] diff --git a/skills/dependency-advisory-graph/artifacts/live-theia-security-audit-runx-v2c/evidence.json b/skills/dependency-advisory-graph/artifacts/live-theia-security-audit-runx-v2c/evidence.json new file mode 100644 index 00000000..76deb3b6 --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/live-theia-security-audit-runx-v2c/evidence.json @@ -0,0 +1,1506 @@ +{ + "schema": "runx.dependency_advisory_graph.v2", + "ecosystem": "npm", + "project": { + "name": "eclipse-theia/security-audit", + "url": "https://github.com/eclipse-theia/security-audit", + "lockfile_source": "https://raw.githubusercontent.com/eclipse-theia/security-audit/master/package-lock.json", + "lockfile_path": null, + "lockfile_url": "https://raw.githubusercontent.com/eclipse-theia/security-audit/master/package-lock.json" + }, + "package": "brace-expansion", + "installed_version": "1.1.11", + "advisory_id": "GHSA-f886-m6hf-6m8v", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown", + "fix_version": null, + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-f886-m6hf-6m8v.", + "direct_dependency_to_bump": "tslint", + "confidence": "high", + "exact_version_match": true, + "findings": [ + { + "package": "brace-expansion", + "installed_version": "1.1.11", + "dependency_path": [ + "tslint", + "brace-expansion" + ], + "direct_dependency_to_bump": "tslint", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-f886-m6hf-6m8v.", + "advisory_id": "GHSA-f886-m6hf-6m8v", + "aliases": [], + "evidence_url": "https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown", + "fix_version": null, + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + }, + { + "package": "brace-expansion", + "installed_version": "1.1.11", + "dependency_path": [ + "tslint", + "brace-expansion" + ], + "direct_dependency_to_bump": "tslint", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-v6h2-p8h4-qcjw.", + "advisory_id": "GHSA-v6h2-p8h4-qcjw", + "aliases": [], + "evidence_url": "https://osv.dev/vulnerability/GHSA-v6h2-p8h4-qcjw", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown", + "fix_version": null, + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + }, + { + "package": "diff", + "installed_version": "4.0.1", + "dependency_path": [ + "tslint", + "diff" + ], + "direct_dependency_to_bump": "tslint", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-73rr-hh4g-fpgx.", + "advisory_id": "GHSA-73rr-hh4g-fpgx", + "aliases": [], + "evidence_url": "https://osv.dev/vulnerability/GHSA-73rr-hh4g-fpgx", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown", + "fix_version": null, + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + }, + { + "package": "js-yaml", + "installed_version": "3.13.1", + "dependency_path": [ + "tslint", + "js-yaml" + ], + "direct_dependency_to_bump": "tslint", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-h67p-54hq-rp68.", + "advisory_id": "GHSA-h67p-54hq-rp68", + "aliases": [], + "evidence_url": "https://osv.dev/vulnerability/GHSA-h67p-54hq-rp68", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown", + "fix_version": null, + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + }, + { + "package": "js-yaml", + "installed_version": "3.13.1", + "dependency_path": [ + "tslint", + "js-yaml" + ], + "direct_dependency_to_bump": "tslint", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-mh29-5h37-fv8m.", + "advisory_id": "GHSA-mh29-5h37-fv8m", + "aliases": [], + "evidence_url": "https://osv.dev/vulnerability/GHSA-mh29-5h37-fv8m", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown", + "fix_version": null, + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + }, + { + "package": "minimatch", + "installed_version": "3.0.4", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-23c5-xmqv-rm74.", + "advisory_id": "GHSA-23c5-xmqv-rm74", + "aliases": [], + "evidence_url": "https://osv.dev/vulnerability/GHSA-23c5-xmqv-rm74", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown", + "fix_version": null, + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + }, + { + "package": "minimatch", + "installed_version": "3.0.4", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-3ppc-4f35-3m26.", + "advisory_id": "GHSA-3ppc-4f35-3m26", + "aliases": [], + "evidence_url": "https://osv.dev/vulnerability/GHSA-3ppc-4f35-3m26", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown", + "fix_version": null, + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + }, + { + "package": "minimatch", + "installed_version": "3.0.4", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-7r86-cg39-jmmj.", + "advisory_id": "GHSA-7r86-cg39-jmmj", + "aliases": [], + "evidence_url": "https://osv.dev/vulnerability/GHSA-7r86-cg39-jmmj", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown", + "fix_version": null, + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + }, + { + "package": "minimatch", + "installed_version": "3.0.4", + "dependency_path": [ + "tslint", + "minimatch" + ], + "direct_dependency_to_bump": "tslint", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-f8q6-p94x-37v3.", + "advisory_id": "GHSA-f8q6-p94x-37v3", + "aliases": [], + "evidence_url": "https://osv.dev/vulnerability/GHSA-f8q6-p94x-37v3", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown", + "fix_version": null, + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + }, + { + "package": "minimist", + "installed_version": "0.0.8", + "dependency_path": [ + "tslint", + "minimist" + ], + "direct_dependency_to_bump": "tslint", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-vh95-rmgr-6w4m.", + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "aliases": [], + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown", + "fix_version": null, + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + }, + { + "package": "minimist", + "installed_version": "0.0.8", + "dependency_path": [ + "tslint", + "minimist" + ], + "direct_dependency_to_bump": "tslint", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-xvch-5gv4-984h.", + "advisory_id": "GHSA-xvch-5gv4-984h", + "aliases": [], + "evidence_url": "https://osv.dev/vulnerability/GHSA-xvch-5gv4-984h", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown", + "fix_version": null, + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + }, + { + "package": "path-parse", + "installed_version": "1.0.6", + "dependency_path": [ + "tslint", + "path-parse" + ], + "direct_dependency_to_bump": "tslint", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-hj48-42vr-x3v9.", + "advisory_id": "GHSA-hj48-42vr-x3v9", + "aliases": [], + "evidence_url": "https://osv.dev/vulnerability/GHSA-hj48-42vr-x3v9", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown", + "fix_version": null, + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + }, + { + "package": "semver", + "installed_version": "5.7.1", + "dependency_path": [ + "tslint", + "semver" + ], + "direct_dependency_to_bump": "tslint", + "fix_path": "Bump tslint to a version outside the OSV affected range for GHSA-c2qf-rxjj-qqgw.", + "advisory_id": "GHSA-c2qf-rxjj-qqgw", + "aliases": [], + "evidence_url": "https://osv.dev/vulnerability/GHSA-c2qf-rxjj-qqgw", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:25:58.356Z", + "severity": "unknown", + "fix_version": null, + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + } + ], + "clean_packages": [ + { + "package": "@babel/code-frame", + "installed_version": "7.5.5", + "path": "@babel/code-frame", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "@babel/code-frame" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "@babel/highlight", + "installed_version": "7.5.0", + "path": "@babel/highlight", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "@babel/highlight" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "@types/node", + "installed_version": "12.11.1", + "path": "@types/node", + "direct": true, + "direct_dependency_to_bump": "@types/node", + "dependency_path": [ + "@types/node" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "ansi-styles", + "installed_version": "3.2.1", + "path": "ansi-styles", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "ansi-styles" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "argparse", + "installed_version": "1.0.10", + "path": "argparse", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "argparse" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "balanced-match", + "installed_version": "1.0.0", + "path": "balanced-match", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "balanced-match" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "builtin-modules", + "installed_version": "1.1.1", + "path": "builtin-modules", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "builtin-modules" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "chalk", + "installed_version": "2.4.2", + "path": "chalk", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "chalk" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "color-convert", + "installed_version": "1.9.3", + "path": "color-convert", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "color-convert" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "color-name", + "installed_version": "1.1.3", + "path": "color-name", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "color-name" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "commander", + "installed_version": "2.20.3", + "path": "commander", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "commander" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "concat-map", + "installed_version": "0.0.1", + "path": "concat-map", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "concat-map" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "escape-string-regexp", + "installed_version": "1.0.5", + "path": "escape-string-regexp", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "escape-string-regexp" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "esprima", + "installed_version": "4.0.1", + "path": "esprima", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "esprima" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "esutils", + "installed_version": "2.0.3", + "path": "esutils", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "esutils" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "fs.realpath", + "installed_version": "1.0.0", + "path": "fs.realpath", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "fs.realpath" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "glob", + "installed_version": "7.1.4", + "path": "glob", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "glob" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "has-flag", + "installed_version": "3.0.0", + "path": "has-flag", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "has-flag" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "inflight", + "installed_version": "1.0.6", + "path": "inflight", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "inflight" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "inherits", + "installed_version": "2.0.4", + "path": "inherits", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "inherits" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "js-tokens", + "installed_version": "4.0.0", + "path": "js-tokens", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "js-tokens" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "mkdirp", + "installed_version": "0.5.1", + "path": "mkdirp", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "mkdirp" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "once", + "installed_version": "1.4.0", + "path": "once", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "once" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "path-is-absolute", + "installed_version": "1.0.1", + "path": "path-is-absolute", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "path-is-absolute" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "resolve", + "installed_version": "1.12.0", + "path": "resolve", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "resolve" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "sprintf-js", + "installed_version": "1.0.3", + "path": "sprintf-js", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "sprintf-js" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "supports-color", + "installed_version": "5.5.0", + "path": "supports-color", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "supports-color" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "tslib", + "installed_version": "1.10.0", + "path": "tslib", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "tslib" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "tslint", + "installed_version": "5.20.0", + "path": "tslint", + "direct": true, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "tsutils", + "installed_version": "2.29.0", + "path": "tsutils", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "tsutils" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "typescript", + "installed_version": "3.6.4", + "path": "typescript", + "direct": true, + "direct_dependency_to_bump": "typescript", + "dependency_path": [ + "typescript" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + }, + { + "package": "wrappy", + "installed_version": "1.0.2", + "path": "wrappy", + "direct": false, + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "wrappy" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + } + ], + "graph": { + "nodes": [ + { + "id": "pkg:npm/@babel/code-frame@7.5.5", + "type": "dependency", + "package": "@babel/code-frame", + "installed_version": "7.5.5", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "@babel/code-frame" + ] + }, + { + "id": "pkg:npm/@babel/highlight@7.5.0", + "type": "dependency", + "package": "@babel/highlight", + "installed_version": "7.5.0", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "@babel/highlight" + ] + }, + { + "id": "pkg:npm/@types/node@12.11.1", + "type": "dependency", + "package": "@types/node", + "installed_version": "12.11.1", + "direct_dependency_to_bump": "@types/node", + "dependency_path": [ + "@types/node" + ] + }, + { + "id": "pkg:npm/ansi-styles@3.2.1", + "type": "dependency", + "package": "ansi-styles", + "installed_version": "3.2.1", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "ansi-styles" + ] + }, + { + "id": "pkg:npm/argparse@1.0.10", + "type": "dependency", + "package": "argparse", + "installed_version": "1.0.10", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "argparse" + ] + }, + { + "id": "pkg:npm/balanced-match@1.0.0", + "type": "dependency", + "package": "balanced-match", + "installed_version": "1.0.0", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "balanced-match" + ] + }, + { + "id": "pkg:npm/brace-expansion@1.1.11", + "type": "dependency", + "package": "brace-expansion", + "installed_version": "1.1.11", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "brace-expansion" + ] + }, + { + "id": "pkg:npm/builtin-modules@1.1.1", + "type": "dependency", + "package": "builtin-modules", + "installed_version": "1.1.1", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "builtin-modules" + ] + }, + { + "id": "pkg:npm/chalk@2.4.2", + "type": "dependency", + "package": "chalk", + "installed_version": "2.4.2", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "chalk" + ] + }, + { + "id": "pkg:npm/color-convert@1.9.3", + "type": "dependency", + "package": "color-convert", + "installed_version": "1.9.3", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "color-convert" + ] + }, + { + "id": "pkg:npm/color-name@1.1.3", + "type": "dependency", + "package": "color-name", + "installed_version": "1.1.3", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "color-name" + ] + }, + { + "id": "pkg:npm/commander@2.20.3", + "type": "dependency", + "package": "commander", + "installed_version": "2.20.3", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "commander" + ] + }, + { + "id": "pkg:npm/concat-map@0.0.1", + "type": "dependency", + "package": "concat-map", + "installed_version": "0.0.1", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "concat-map" + ] + }, + { + "id": "pkg:npm/diff@4.0.1", + "type": "dependency", + "package": "diff", + "installed_version": "4.0.1", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "diff" + ] + }, + { + "id": "pkg:npm/escape-string-regexp@1.0.5", + "type": "dependency", + "package": "escape-string-regexp", + "installed_version": "1.0.5", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "escape-string-regexp" + ] + }, + { + "id": "pkg:npm/esprima@4.0.1", + "type": "dependency", + "package": "esprima", + "installed_version": "4.0.1", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "esprima" + ] + }, + { + "id": "pkg:npm/esutils@2.0.3", + "type": "dependency", + "package": "esutils", + "installed_version": "2.0.3", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "esutils" + ] + }, + { + "id": "pkg:npm/fs.realpath@1.0.0", + "type": "dependency", + "package": "fs.realpath", + "installed_version": "1.0.0", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "fs.realpath" + ] + }, + { + "id": "pkg:npm/glob@7.1.4", + "type": "dependency", + "package": "glob", + "installed_version": "7.1.4", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "glob" + ] + }, + { + "id": "pkg:npm/has-flag@3.0.0", + "type": "dependency", + "package": "has-flag", + "installed_version": "3.0.0", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "has-flag" + ] + }, + { + "id": "pkg:npm/inflight@1.0.6", + "type": "dependency", + "package": "inflight", + "installed_version": "1.0.6", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "inflight" + ] + }, + { + "id": "pkg:npm/inherits@2.0.4", + "type": "dependency", + "package": "inherits", + "installed_version": "2.0.4", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "inherits" + ] + }, + { + "id": "pkg:npm/js-tokens@4.0.0", + "type": "dependency", + "package": "js-tokens", + "installed_version": "4.0.0", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "js-tokens" + ] + }, + { + "id": "pkg:npm/js-yaml@3.13.1", + "type": "dependency", + "package": "js-yaml", + "installed_version": "3.13.1", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "js-yaml" + ] + }, + { + "id": "pkg:npm/minimatch@3.0.4", + "type": "dependency", + "package": "minimatch", + "installed_version": "3.0.4", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "minimatch" + ] + }, + { + "id": "pkg:npm/minimist@0.0.8", + "type": "dependency", + "package": "minimist", + "installed_version": "0.0.8", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "minimist" + ] + }, + { + "id": "pkg:npm/mkdirp@0.5.1", + "type": "dependency", + "package": "mkdirp", + "installed_version": "0.5.1", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "mkdirp" + ] + }, + { + "id": "pkg:npm/once@1.4.0", + "type": "dependency", + "package": "once", + "installed_version": "1.4.0", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "once" + ] + }, + { + "id": "pkg:npm/path-is-absolute@1.0.1", + "type": "dependency", + "package": "path-is-absolute", + "installed_version": "1.0.1", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "path-is-absolute" + ] + }, + { + "id": "pkg:npm/path-parse@1.0.6", + "type": "dependency", + "package": "path-parse", + "installed_version": "1.0.6", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "path-parse" + ] + }, + { + "id": "pkg:npm/resolve@1.12.0", + "type": "dependency", + "package": "resolve", + "installed_version": "1.12.0", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "resolve" + ] + }, + { + "id": "pkg:npm/semver@5.7.1", + "type": "dependency", + "package": "semver", + "installed_version": "5.7.1", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "semver" + ] + }, + { + "id": "pkg:npm/sprintf-js@1.0.3", + "type": "dependency", + "package": "sprintf-js", + "installed_version": "1.0.3", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "sprintf-js" + ] + }, + { + "id": "pkg:npm/supports-color@5.5.0", + "type": "dependency", + "package": "supports-color", + "installed_version": "5.5.0", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "supports-color" + ] + }, + { + "id": "pkg:npm/tslib@1.10.0", + "type": "dependency", + "package": "tslib", + "installed_version": "1.10.0", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "tslib" + ] + }, + { + "id": "pkg:npm/tslint@5.20.0", + "type": "dependency", + "package": "tslint", + "installed_version": "5.20.0", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint" + ] + }, + { + "id": "pkg:npm/tsutils@2.29.0", + "type": "dependency", + "package": "tsutils", + "installed_version": "2.29.0", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "tsutils" + ] + }, + { + "id": "pkg:npm/typescript@3.6.4", + "type": "dependency", + "package": "typescript", + "installed_version": "3.6.4", + "direct_dependency_to_bump": "typescript", + "dependency_path": [ + "typescript" + ] + }, + { + "id": "pkg:npm/wrappy@1.0.2", + "type": "dependency", + "package": "wrappy", + "installed_version": "1.0.2", + "direct_dependency_to_bump": "tslint", + "dependency_path": [ + "tslint", + "wrappy" + ] + }, + { + "id": "adv:GHSA-f886-m6hf-6m8v", + "type": "advisory", + "advisory_id": "GHSA-f886-m6hf-6m8v", + "severity": "unknown", + "fix_version": null + }, + { + "id": "adv:GHSA-v6h2-p8h4-qcjw", + "type": "advisory", + "advisory_id": "GHSA-v6h2-p8h4-qcjw", + "severity": "unknown", + "fix_version": null + }, + { + "id": "adv:GHSA-73rr-hh4g-fpgx", + "type": "advisory", + "advisory_id": "GHSA-73rr-hh4g-fpgx", + "severity": "unknown", + "fix_version": null + }, + { + "id": "adv:GHSA-h67p-54hq-rp68", + "type": "advisory", + "advisory_id": "GHSA-h67p-54hq-rp68", + "severity": "unknown", + "fix_version": null + }, + { + "id": "adv:GHSA-mh29-5h37-fv8m", + "type": "advisory", + "advisory_id": "GHSA-mh29-5h37-fv8m", + "severity": "unknown", + "fix_version": null + }, + { + "id": "adv:GHSA-23c5-xmqv-rm74", + "type": "advisory", + "advisory_id": "GHSA-23c5-xmqv-rm74", + "severity": "unknown", + "fix_version": null + }, + { + "id": "adv:GHSA-3ppc-4f35-3m26", + "type": "advisory", + "advisory_id": "GHSA-3ppc-4f35-3m26", + "severity": "unknown", + "fix_version": null + }, + { + "id": "adv:GHSA-7r86-cg39-jmmj", + "type": "advisory", + "advisory_id": "GHSA-7r86-cg39-jmmj", + "severity": "unknown", + "fix_version": null + }, + { + "id": "adv:GHSA-f8q6-p94x-37v3", + "type": "advisory", + "advisory_id": "GHSA-f8q6-p94x-37v3", + "severity": "unknown", + "fix_version": null + }, + { + "id": "adv:GHSA-vh95-rmgr-6w4m", + "type": "advisory", + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "severity": "unknown", + "fix_version": null + }, + { + "id": "adv:GHSA-xvch-5gv4-984h", + "type": "advisory", + "advisory_id": "GHSA-xvch-5gv4-984h", + "severity": "unknown", + "fix_version": null + }, + { + "id": "adv:GHSA-hj48-42vr-x3v9", + "type": "advisory", + "advisory_id": "GHSA-hj48-42vr-x3v9", + "severity": "unknown", + "fix_version": null + }, + { + "id": "adv:GHSA-c2qf-rxjj-qqgw", + "type": "advisory", + "advisory_id": "GHSA-c2qf-rxjj-qqgw", + "severity": "unknown", + "fix_version": null + } + ], + "edges": [ + { + "from": "pkg:npm/brace-expansion@1.1.11", + "to": "adv:GHSA-f886-m6hf-6m8v", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v", + "direct_dependency_to_bump": "tslint" + }, + { + "from": "pkg:npm/brace-expansion@1.1.11", + "to": "adv:GHSA-v6h2-p8h4-qcjw", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-v6h2-p8h4-qcjw", + "direct_dependency_to_bump": "tslint" + }, + { + "from": "pkg:npm/diff@4.0.1", + "to": "adv:GHSA-73rr-hh4g-fpgx", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-73rr-hh4g-fpgx", + "direct_dependency_to_bump": "tslint" + }, + { + "from": "pkg:npm/js-yaml@3.13.1", + "to": "adv:GHSA-h67p-54hq-rp68", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-h67p-54hq-rp68", + "direct_dependency_to_bump": "tslint" + }, + { + "from": "pkg:npm/js-yaml@3.13.1", + "to": "adv:GHSA-mh29-5h37-fv8m", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-mh29-5h37-fv8m", + "direct_dependency_to_bump": "tslint" + }, + { + "from": "pkg:npm/minimatch@3.0.4", + "to": "adv:GHSA-23c5-xmqv-rm74", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-23c5-xmqv-rm74", + "direct_dependency_to_bump": "tslint" + }, + { + "from": "pkg:npm/minimatch@3.0.4", + "to": "adv:GHSA-3ppc-4f35-3m26", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-3ppc-4f35-3m26", + "direct_dependency_to_bump": "tslint" + }, + { + "from": "pkg:npm/minimatch@3.0.4", + "to": "adv:GHSA-7r86-cg39-jmmj", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-7r86-cg39-jmmj", + "direct_dependency_to_bump": "tslint" + }, + { + "from": "pkg:npm/minimatch@3.0.4", + "to": "adv:GHSA-f8q6-p94x-37v3", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-f8q6-p94x-37v3", + "direct_dependency_to_bump": "tslint" + }, + { + "from": "pkg:npm/minimist@0.0.8", + "to": "adv:GHSA-vh95-rmgr-6w4m", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "direct_dependency_to_bump": "tslint" + }, + { + "from": "pkg:npm/minimist@0.0.8", + "to": "adv:GHSA-xvch-5gv4-984h", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-xvch-5gv4-984h", + "direct_dependency_to_bump": "tslint" + }, + { + "from": "pkg:npm/path-parse@1.0.6", + "to": "adv:GHSA-hj48-42vr-x3v9", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-hj48-42vr-x3v9", + "direct_dependency_to_bump": "tslint" + }, + { + "from": "pkg:npm/semver@5.7.1", + "to": "adv:GHSA-c2qf-rxjj-qqgw", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-c2qf-rxjj-qqgw", + "direct_dependency_to_bump": "tslint" + } + ] + }, + "false_positive_guards": [ + { + "package": "@babel/code-frame", + "installed_version": "7.5.5", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "@babel/highlight", + "installed_version": "7.5.0", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "@types/node", + "installed_version": "12.11.1", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "ansi-styles", + "installed_version": "3.2.1", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "argparse", + "installed_version": "1.0.10", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "balanced-match", + "installed_version": "1.0.0", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "builtin-modules", + "installed_version": "1.1.1", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "chalk", + "installed_version": "2.4.2", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "color-convert", + "installed_version": "1.9.3", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "color-name", + "installed_version": "1.1.3", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "commander", + "installed_version": "2.20.3", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "concat-map", + "installed_version": "0.0.1", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "escape-string-regexp", + "installed_version": "1.0.5", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "esprima", + "installed_version": "4.0.1", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "esutils", + "installed_version": "2.0.3", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "fs.realpath", + "installed_version": "1.0.0", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "glob", + "installed_version": "7.1.4", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "has-flag", + "installed_version": "3.0.0", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "inflight", + "installed_version": "1.0.6", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "inherits", + "installed_version": "2.0.4", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "js-tokens", + "installed_version": "4.0.0", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "mkdirp", + "installed_version": "0.5.1", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "once", + "installed_version": "1.4.0", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "path-is-absolute", + "installed_version": "1.0.1", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "resolve", + "installed_version": "1.12.0", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "sprintf-js", + "installed_version": "1.0.3", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "supports-color", + "installed_version": "5.5.0", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "tslib", + "installed_version": "1.10.0", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "tslint", + "installed_version": "5.20.0", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "tsutils", + "installed_version": "2.29.0", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "typescript", + "installed_version": "3.6.4", + "guard": "OSV returned no vulnerability for this exact package and installed version." + }, + { + "package": "wrappy", + "installed_version": "1.0.2", + "guard": "OSV returned no vulnerability for this exact package and installed version." + } + ], + "validation": { + "exact_version_match": true, + "no_package_name_only_false_positives": true, + "package_name_only_guard_count": 32, + "target_lockfile_ingested": true, + "target_code_executed": true, + "target_code_execution_note": "The scanner executed against and parsed the target project's dependency lockfile; it did not run application code.", + "target_packages_installed": false, + "osv_runtime_query_performed": true, + "advisory_source_mode": "live_osv_querybatch", + "direct_dependency_fix_paths_count": 13 + }, + "operator_next_steps": [ + "Bump the listed direct_dependency_to_bump to a version that resolves the advisory.", + "Regenerate the lockfile and re-run this skill against the updated lockfile.", + "Attach the OSV evidence URL, fix path, and runx receipt to the dependency review record." + ] +} diff --git a/skills/dependency-advisory-graph/artifacts/live-theia-security-audit-runx-v2c/report.md b/skills/dependency-advisory-graph/artifacts/live-theia-security-audit-runx-v2c/report.md new file mode 100644 index 00000000..68299a7a --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/live-theia-security-audit-runx-v2c/report.md @@ -0,0 +1,53 @@ +# Dependency Advisory Graph Report + +Project: eclipse-theia/security-audit +Project URL: https://github.com/eclipse-theia/security-audit +Lockfile source: https://raw.githubusercontent.com/eclipse-theia/security-audit/master/package-lock.json +Ecosystem: npm +Advisory source: https://api.osv.dev/v1/querybatch +Retrieved at: 2026-06-24T00:25:58.356Z + +## Findings + +- brace-expansion@1.1.11: GHSA-f886-m6hf-6m8v, severity unknown, fix not listed, direct dependency to bump tslint, evidence https://osv.dev/vulnerability/GHSA-f886-m6hf-6m8v + - Fix path: Bump tslint to a version outside the OSV affected range for GHSA-f886-m6hf-6m8v. +- brace-expansion@1.1.11: GHSA-v6h2-p8h4-qcjw, severity unknown, fix not listed, direct dependency to bump tslint, evidence https://osv.dev/vulnerability/GHSA-v6h2-p8h4-qcjw + - Fix path: Bump tslint to a version outside the OSV affected range for GHSA-v6h2-p8h4-qcjw. +- diff@4.0.1: GHSA-73rr-hh4g-fpgx, severity unknown, fix not listed, direct dependency to bump tslint, evidence https://osv.dev/vulnerability/GHSA-73rr-hh4g-fpgx + - Fix path: Bump tslint to a version outside the OSV affected range for GHSA-73rr-hh4g-fpgx. +- js-yaml@3.13.1: GHSA-h67p-54hq-rp68, severity unknown, fix not listed, direct dependency to bump tslint, evidence https://osv.dev/vulnerability/GHSA-h67p-54hq-rp68 + - Fix path: Bump tslint to a version outside the OSV affected range for GHSA-h67p-54hq-rp68. +- js-yaml@3.13.1: GHSA-mh29-5h37-fv8m, severity unknown, fix not listed, direct dependency to bump tslint, evidence https://osv.dev/vulnerability/GHSA-mh29-5h37-fv8m + - Fix path: Bump tslint to a version outside the OSV affected range for GHSA-mh29-5h37-fv8m. +- minimatch@3.0.4: GHSA-23c5-xmqv-rm74, severity unknown, fix not listed, direct dependency to bump tslint, evidence https://osv.dev/vulnerability/GHSA-23c5-xmqv-rm74 + - Fix path: Bump tslint to a version outside the OSV affected range for GHSA-23c5-xmqv-rm74. +- minimatch@3.0.4: GHSA-3ppc-4f35-3m26, severity unknown, fix not listed, direct dependency to bump tslint, evidence https://osv.dev/vulnerability/GHSA-3ppc-4f35-3m26 + - Fix path: Bump tslint to a version outside the OSV affected range for GHSA-3ppc-4f35-3m26. +- minimatch@3.0.4: GHSA-7r86-cg39-jmmj, severity unknown, fix not listed, direct dependency to bump tslint, evidence https://osv.dev/vulnerability/GHSA-7r86-cg39-jmmj + - Fix path: Bump tslint to a version outside the OSV affected range for GHSA-7r86-cg39-jmmj. +- minimatch@3.0.4: GHSA-f8q6-p94x-37v3, severity unknown, fix not listed, direct dependency to bump tslint, evidence https://osv.dev/vulnerability/GHSA-f8q6-p94x-37v3 + - Fix path: Bump tslint to a version outside the OSV affected range for GHSA-f8q6-p94x-37v3. +- minimist@0.0.8: GHSA-vh95-rmgr-6w4m, severity unknown, fix not listed, direct dependency to bump tslint, evidence https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m + - Fix path: Bump tslint to a version outside the OSV affected range for GHSA-vh95-rmgr-6w4m. +- minimist@0.0.8: GHSA-xvch-5gv4-984h, severity unknown, fix not listed, direct dependency to bump tslint, evidence https://osv.dev/vulnerability/GHSA-xvch-5gv4-984h + - Fix path: Bump tslint to a version outside the OSV affected range for GHSA-xvch-5gv4-984h. +- path-parse@1.0.6: GHSA-hj48-42vr-x3v9, severity unknown, fix not listed, direct dependency to bump tslint, evidence https://osv.dev/vulnerability/GHSA-hj48-42vr-x3v9 + - Fix path: Bump tslint to a version outside the OSV affected range for GHSA-hj48-42vr-x3v9. +- semver@5.7.1: GHSA-c2qf-rxjj-qqgw, severity unknown, fix not listed, direct dependency to bump tslint, evidence https://osv.dev/vulnerability/GHSA-c2qf-rxjj-qqgw + - Fix path: Bump tslint to a version outside the OSV affected range for GHSA-c2qf-rxjj-qqgw. + +## Verification + +- typed_output_fields: pass +- real_lockfile_ingested: pass +- osv_advisory_source: pass +- exact_version_match: pass +- direct_dependency_fix_path: pass +- false_positive_guard: pass +- no_target_install_or_app_execution: pass + +## Operator next steps + +- Bump the listed direct_dependency_to_bump to a version that resolves the advisory. +- Regenerate the lockfile and re-run this skill against the updated lockfile. +- Attach the OSV evidence URL, fix path, and runx receipt to the dependency review record. diff --git a/skills/dependency-advisory-graph/artifacts/live-theia-security-audit-runx-v2c/verification.json b/skills/dependency-advisory-graph/artifacts/live-theia-security-audit-runx-v2c/verification.json new file mode 100644 index 00000000..b9d85b0c --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/live-theia-security-audit-runx-v2c/verification.json @@ -0,0 +1,50 @@ +{ + "schema": "runx.dependency_advisory_graph.verification.v2", + "skill": "dependency-advisory-graph", + "project": { + "name": "eclipse-theia/security-audit", + "url": "https://github.com/eclipse-theia/security-audit", + "lockfile_source": "https://raw.githubusercontent.com/eclipse-theia/security-audit/master/package-lock.json", + "lockfile_path": null, + "lockfile_url": "https://raw.githubusercontent.com/eclipse-theia/security-audit/master/package-lock.json" + }, + "checks": [ + { + "id": "typed_output_fields", + "status": "pass" + }, + { + "id": "real_lockfile_ingested", + "status": "pass", + "source": "https://raw.githubusercontent.com/eclipse-theia/security-audit/master/package-lock.json" + }, + { + "id": "osv_advisory_source", + "status": "pass", + "mode": "live_osv_querybatch" + }, + { + "id": "exact_version_match", + "status": "pass" + }, + { + "id": "direct_dependency_fix_path", + "status": "pass" + }, + { + "id": "false_positive_guard", + "status": "pass", + "guarded_non_findings": 32 + }, + { + "id": "no_target_install_or_app_execution", + "status": "pass", + "note": "The scanner executed against and parsed the target project's dependency lockfile; it did not run application code." + } + ], + "install_run_verify": [ + "runx --version", + "runx harness ./skills/dependency-advisory-graph --json", + "runx skill ./skills/dependency-advisory-graph --input lockfile_path= --json" + ] +} diff --git a/skills/dependency-advisory-graph/artifacts/sealed-advisory-minimist-008/evidence.json b/skills/dependency-advisory-graph/artifacts/sealed-advisory-minimist-008/evidence.json new file mode 100644 index 00000000..d6a5480e --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/sealed-advisory-minimist-008/evidence.json @@ -0,0 +1,125 @@ +{ + "schema": "runx.dependency_advisory_graph.v2", + "ecosystem": "npm", + "project": { + "name": "fixture-vulnerable-app", + "url": "https://example.com/fixture-vulnerable-app", + "lockfile_source": "fixtures/package-lock-advisory.json", + "lockfile_path": "fixtures/package-lock-advisory.json", + "lockfile_url": null + }, + "package": "minimist", + "installed_version": "0.0.8", + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:00:00.000Z", + "severity": "critical", + "fix_version": "0.2.1", + "fix_path": "Bump minimist so minimist@0.0.8 is replaced by a non-vulnerable version; OSV first fixed version: 0.2.1.", + "direct_dependency_to_bump": "minimist", + "confidence": "high", + "exact_version_match": true, + "findings": [ + { + "package": "minimist", + "installed_version": "0.0.8", + "dependency_path": [ + "minimist" + ], + "direct_dependency_to_bump": "minimist", + "fix_path": "Bump minimist so minimist@0.0.8 is replaced by a non-vulnerable version; OSV first fixed version: 0.2.1.", + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "aliases": [ + "CVE-2020-7598" + ], + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:00:00.000Z", + "severity": "critical", + "fix_version": "0.2.1", + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + } + ], + "clean_packages": [ + { + "package": "left-pad", + "installed_version": "1.3.0", + "path": "node_modules/left-pad", + "direct": true, + "direct_dependency_to_bump": "left-pad", + "dependency_path": [ + "left-pad" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + } + ], + "graph": { + "nodes": [ + { + "id": "pkg:npm/minimist@0.0.8", + "type": "dependency", + "package": "minimist", + "installed_version": "0.0.8", + "direct_dependency_to_bump": "minimist", + "dependency_path": [ + "minimist" + ] + }, + { + "id": "pkg:npm/left-pad@1.3.0", + "type": "dependency", + "package": "left-pad", + "installed_version": "1.3.0", + "direct_dependency_to_bump": "left-pad", + "dependency_path": [ + "left-pad" + ] + }, + { + "id": "adv:GHSA-vh95-rmgr-6w4m", + "type": "advisory", + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "severity": "critical", + "fix_version": "0.2.1" + } + ], + "edges": [ + { + "from": "pkg:npm/minimist@0.0.8", + "to": "adv:GHSA-vh95-rmgr-6w4m", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "direct_dependency_to_bump": "minimist" + } + ] + }, + "false_positive_guards": [ + { + "package": "left-pad", + "installed_version": "1.3.0", + "guard": "OSV returned no vulnerability for this exact package and installed version." + } + ], + "validation": { + "exact_version_match": true, + "no_package_name_only_false_positives": true, + "package_name_only_guard_count": 1, + "target_lockfile_ingested": true, + "target_code_executed": true, + "target_code_execution_note": "The scanner executed against and parsed the target project's dependency lockfile; it did not run application code.", + "target_packages_installed": false, + "osv_runtime_query_performed": false, + "advisory_source_mode": "osv_fixture_response", + "direct_dependency_fix_paths_count": 1 + }, + "operator_next_steps": [ + "Bump the listed direct_dependency_to_bump to a version that resolves the advisory.", + "Regenerate the lockfile and re-run this skill against the updated lockfile.", + "Attach the OSV evidence URL, fix path, and runx receipt to the dependency review record." + ] +} diff --git a/skills/dependency-advisory-graph/artifacts/sealed-advisory-minimist-008/report.md b/skills/dependency-advisory-graph/artifacts/sealed-advisory-minimist-008/report.md new file mode 100644 index 00000000..ffb7d026 --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/sealed-advisory-minimist-008/report.md @@ -0,0 +1,29 @@ +# Dependency Advisory Graph Report + +Project: fixture-vulnerable-app +Project URL: https://example.com/fixture-vulnerable-app +Lockfile source: fixtures/package-lock-advisory.json +Ecosystem: npm +Advisory source: https://api.osv.dev/v1/querybatch +Retrieved at: 2026-06-24T00:00:00.000Z + +## Findings + +- minimist@0.0.8: GHSA-vh95-rmgr-6w4m, severity critical, fix 0.2.1, direct dependency to bump minimist, evidence https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m + - Fix path: Bump minimist so minimist@0.0.8 is replaced by a non-vulnerable version; OSV first fixed version: 0.2.1. + +## Verification + +- typed_output_fields: pass +- real_lockfile_ingested: pass +- osv_advisory_source: pass +- exact_version_match: pass +- direct_dependency_fix_path: pass +- false_positive_guard: pass +- no_target_install_or_app_execution: pass + +## Operator next steps + +- Bump the listed direct_dependency_to_bump to a version that resolves the advisory. +- Regenerate the lockfile and re-run this skill against the updated lockfile. +- Attach the OSV evidence URL, fix path, and runx receipt to the dependency review record. diff --git a/skills/dependency-advisory-graph/artifacts/sealed-advisory-minimist-008/verification.json b/skills/dependency-advisory-graph/artifacts/sealed-advisory-minimist-008/verification.json new file mode 100644 index 00000000..1da1b5d4 --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/sealed-advisory-minimist-008/verification.json @@ -0,0 +1,50 @@ +{ + "schema": "runx.dependency_advisory_graph.verification.v2", + "skill": "dependency-advisory-graph", + "project": { + "name": "fixture-vulnerable-app", + "url": "https://example.com/fixture-vulnerable-app", + "lockfile_source": "fixtures/package-lock-advisory.json", + "lockfile_path": "fixtures/package-lock-advisory.json", + "lockfile_url": null + }, + "checks": [ + { + "id": "typed_output_fields", + "status": "pass" + }, + { + "id": "real_lockfile_ingested", + "status": "pass", + "source": "fixtures/package-lock-advisory.json" + }, + { + "id": "osv_advisory_source", + "status": "pass", + "mode": "osv_fixture_response" + }, + { + "id": "exact_version_match", + "status": "pass" + }, + { + "id": "direct_dependency_fix_path", + "status": "pass" + }, + { + "id": "false_positive_guard", + "status": "pass", + "guarded_non_findings": 1 + }, + { + "id": "no_target_install_or_app_execution", + "status": "pass", + "note": "The scanner executed against and parsed the target project's dependency lockfile; it did not run application code." + } + ], + "install_run_verify": [ + "runx --version", + "runx harness ./skills/dependency-advisory-graph --json", + "runx skill ./skills/dependency-advisory-graph --input lockfile_path= --json" + ] +} diff --git a/skills/dependency-advisory-graph/artifacts/transitive-advisory-direct-owner/evidence.json b/skills/dependency-advisory-graph/artifacts/transitive-advisory-direct-owner/evidence.json new file mode 100644 index 00000000..b8b5c205 --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/transitive-advisory-direct-owner/evidence.json @@ -0,0 +1,127 @@ +{ + "schema": "runx.dependency_advisory_graph.v2", + "ecosystem": "npm", + "project": { + "name": "fixture-transitive-vulnerable-app", + "url": "https://example.com/fixture-transitive-vulnerable-app", + "lockfile_source": "fixtures/package-lock-transitive-advisory.json", + "lockfile_path": "fixtures/package-lock-transitive-advisory.json", + "lockfile_url": null + }, + "package": "minimist", + "installed_version": "0.0.8", + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:00:00.000Z", + "severity": "critical", + "fix_version": "0.2.1", + "fix_path": "Bump mkdirp so minimist@0.0.8 is replaced by a non-vulnerable version; OSV first fixed version: 0.2.1.", + "direct_dependency_to_bump": "mkdirp", + "confidence": "high", + "exact_version_match": true, + "findings": [ + { + "package": "minimist", + "installed_version": "0.0.8", + "dependency_path": [ + "mkdirp", + "minimist" + ], + "direct_dependency_to_bump": "mkdirp", + "fix_path": "Bump mkdirp so minimist@0.0.8 is replaced by a non-vulnerable version; OSV first fixed version: 0.2.1.", + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "aliases": [ + "CVE-2020-7598" + ], + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "advisory_source": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:00:00.000Z", + "severity": "critical", + "fix_version": "0.2.1", + "confidence": "high", + "exact_version_match": true, + "ecosystem": "npm", + "false_positive_guard": "Finding emitted only after OSV query matched package name and exact installed version." + } + ], + "clean_packages": [ + { + "package": "mkdirp", + "installed_version": "0.5.1", + "path": "node_modules/mkdirp", + "direct": true, + "direct_dependency_to_bump": "mkdirp", + "dependency_path": [ + "mkdirp" + ], + "confidence": "high", + "false_positive_guard": "No finding was emitted because OSV returned no advisory for this exact package and installed version." + } + ], + "graph": { + "nodes": [ + { + "id": "pkg:npm/mkdirp@0.5.1", + "type": "dependency", + "package": "mkdirp", + "installed_version": "0.5.1", + "direct_dependency_to_bump": "mkdirp", + "dependency_path": [ + "mkdirp" + ] + }, + { + "id": "pkg:npm/minimist@0.0.8", + "type": "dependency", + "package": "minimist", + "installed_version": "0.0.8", + "direct_dependency_to_bump": "mkdirp", + "dependency_path": [ + "mkdirp", + "minimist" + ] + }, + { + "id": "adv:GHSA-vh95-rmgr-6w4m", + "type": "advisory", + "advisory_id": "GHSA-vh95-rmgr-6w4m", + "severity": "critical", + "fix_version": "0.2.1" + } + ], + "edges": [ + { + "from": "pkg:npm/minimist@0.0.8", + "to": "adv:GHSA-vh95-rmgr-6w4m", + "relationship": "osv_exact_version_matches_advisory", + "evidence_url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m", + "direct_dependency_to_bump": "mkdirp" + } + ] + }, + "false_positive_guards": [ + { + "package": "mkdirp", + "installed_version": "0.5.1", + "guard": "OSV returned no vulnerability for this exact package and installed version." + } + ], + "validation": { + "exact_version_match": true, + "no_package_name_only_false_positives": true, + "package_name_only_guard_count": 1, + "target_lockfile_ingested": true, + "target_code_executed": true, + "target_code_execution_note": "The scanner executed against and parsed the target project's dependency lockfile; it did not run application code.", + "target_packages_installed": false, + "osv_runtime_query_performed": false, + "advisory_source_mode": "osv_fixture_response", + "direct_dependency_fix_paths_count": 1 + }, + "operator_next_steps": [ + "Bump the listed direct_dependency_to_bump to a version that resolves the advisory.", + "Regenerate the lockfile and re-run this skill against the updated lockfile.", + "Attach the OSV evidence URL, fix path, and runx receipt to the dependency review record." + ] +} diff --git a/skills/dependency-advisory-graph/artifacts/transitive-advisory-direct-owner/report.md b/skills/dependency-advisory-graph/artifacts/transitive-advisory-direct-owner/report.md new file mode 100644 index 00000000..d327bb9b --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/transitive-advisory-direct-owner/report.md @@ -0,0 +1,29 @@ +# Dependency Advisory Graph Report + +Project: fixture-transitive-vulnerable-app +Project URL: https://example.com/fixture-transitive-vulnerable-app +Lockfile source: fixtures/package-lock-transitive-advisory.json +Ecosystem: npm +Advisory source: https://api.osv.dev/v1/querybatch +Retrieved at: 2026-06-24T00:00:00.000Z + +## Findings + +- minimist@0.0.8: GHSA-vh95-rmgr-6w4m, severity critical, fix 0.2.1, direct dependency to bump mkdirp, evidence https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m + - Fix path: Bump mkdirp so minimist@0.0.8 is replaced by a non-vulnerable version; OSV first fixed version: 0.2.1. + +## Verification + +- typed_output_fields: pass +- real_lockfile_ingested: pass +- osv_advisory_source: pass +- exact_version_match: pass +- direct_dependency_fix_path: pass +- false_positive_guard: pass +- no_target_install_or_app_execution: pass + +## Operator next steps + +- Bump the listed direct_dependency_to_bump to a version that resolves the advisory. +- Regenerate the lockfile and re-run this skill against the updated lockfile. +- Attach the OSV evidence URL, fix path, and runx receipt to the dependency review record. diff --git a/skills/dependency-advisory-graph/artifacts/transitive-advisory-direct-owner/verification.json b/skills/dependency-advisory-graph/artifacts/transitive-advisory-direct-owner/verification.json new file mode 100644 index 00000000..b33e2782 --- /dev/null +++ b/skills/dependency-advisory-graph/artifacts/transitive-advisory-direct-owner/verification.json @@ -0,0 +1,50 @@ +{ + "schema": "runx.dependency_advisory_graph.verification.v2", + "skill": "dependency-advisory-graph", + "project": { + "name": "fixture-transitive-vulnerable-app", + "url": "https://example.com/fixture-transitive-vulnerable-app", + "lockfile_source": "fixtures/package-lock-transitive-advisory.json", + "lockfile_path": "fixtures/package-lock-transitive-advisory.json", + "lockfile_url": null + }, + "checks": [ + { + "id": "typed_output_fields", + "status": "pass" + }, + { + "id": "real_lockfile_ingested", + "status": "pass", + "source": "fixtures/package-lock-transitive-advisory.json" + }, + { + "id": "osv_advisory_source", + "status": "pass", + "mode": "osv_fixture_response" + }, + { + "id": "exact_version_match", + "status": "pass" + }, + { + "id": "direct_dependency_fix_path", + "status": "pass" + }, + { + "id": "false_positive_guard", + "status": "pass", + "guarded_non_findings": 1 + }, + { + "id": "no_target_install_or_app_execution", + "status": "pass", + "note": "The scanner executed against and parsed the target project's dependency lockfile; it did not run application code." + } + ], + "install_run_verify": [ + "runx --version", + "runx harness ./skills/dependency-advisory-graph --json", + "runx skill ./skills/dependency-advisory-graph --input lockfile_path= --json" + ] +} diff --git a/skills/dependency-advisory-graph/fixtures/clean-manifest-no-finding.yaml b/skills/dependency-advisory-graph/fixtures/clean-manifest-no-finding.yaml new file mode 100644 index 00000000..bcb5e3d9 --- /dev/null +++ b/skills/dependency-advisory-graph/fixtures/clean-manifest-no-finding.yaml @@ -0,0 +1,19 @@ +name: clean-manifest-no-finding +kind: skill +target: .. +runner: default +inputs: + ecosystem: npm + project_name: fixture-clean-app + project_url: https://example.com/fixture-clean-app + lockfile_path: fixtures/package-lock-clean.json + osv_response_path: fixtures/osv-clean-response.json + output_dir: artifacts/clean-manifest-no-finding +expect: + status: sealed + receipt: + schema: runx.receipt.v1 +metadata: + public_skill: dependency-advisory-graph + source_case: clean-manifest-no-finding + source: lockfile-osv-fixture diff --git a/skills/dependency-advisory-graph/fixtures/invalid-manifest-fails.yaml b/skills/dependency-advisory-graph/fixtures/invalid-manifest-fails.yaml new file mode 100644 index 00000000..b128a9f1 --- /dev/null +++ b/skills/dependency-advisory-graph/fixtures/invalid-manifest-fails.yaml @@ -0,0 +1,20 @@ +name: invalid-manifest-fails +kind: skill +target: .. +runner: default +inputs: + ecosystem: npm + lockfile: {} + osv_response: + results: [] +expect: + status: failure + receipt: + schema: runx.receipt.v1 + state: sealed + disposition: failed + reason_code: process_failed +metadata: + public_skill: dependency-advisory-graph + source_case: invalid-manifest-fails + source: lockfile-osv-fixture diff --git a/skills/dependency-advisory-graph/fixtures/osv-clean-response.json b/skills/dependency-advisory-graph/fixtures/osv-clean-response.json new file mode 100644 index 00000000..d3e14f19 --- /dev/null +++ b/skills/dependency-advisory-graph/fixtures/osv-clean-response.json @@ -0,0 +1,16 @@ +{ + "retrieved_at": "2026-06-24T00:00:00.000Z", + "source": { + "name": "OSV querybatch fixture", + "url": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:00:00.000Z" + }, + "results": [ + { + "vulns": [] + }, + { + "vulns": [] + } + ] +} diff --git a/skills/dependency-advisory-graph/fixtures/osv-minimist-response.json b/skills/dependency-advisory-graph/fixtures/osv-minimist-response.json new file mode 100644 index 00000000..cc47fead --- /dev/null +++ b/skills/dependency-advisory-graph/fixtures/osv-minimist-response.json @@ -0,0 +1,58 @@ +{ + "retrieved_at": "2026-06-24T00:00:00.000Z", + "source": { + "name": "OSV querybatch fixture", + "url": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:00:00.000Z" + }, + "results": [ + { + "vulns": [ + { + "id": "GHSA-vh95-rmgr-6w4m", + "aliases": [ + "CVE-2020-7598" + ], + "summary": "minimist prototype pollution", + "modified": "2026-06-24T00:00:00.000Z", + "database_specific": { + "severity": "CRITICAL" + }, + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "minimist" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.2.1" + } + ] + } + ], + "versions": [ + "0.0.8" + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m" + } + ] + } + ] + }, + { + "vulns": [] + } + ] +} diff --git a/skills/dependency-advisory-graph/fixtures/osv-transitive-minimist-response.json b/skills/dependency-advisory-graph/fixtures/osv-transitive-minimist-response.json new file mode 100644 index 00000000..0328d2f2 --- /dev/null +++ b/skills/dependency-advisory-graph/fixtures/osv-transitive-minimist-response.json @@ -0,0 +1,49 @@ +{ + "source": { + "url": "https://api.osv.dev/v1/querybatch", + "retrieved_at": "2026-06-24T00:00:00.000Z" + }, + "results": [ + { + "vulns": [] + }, + { + "vulns": [ + { + "id": "GHSA-vh95-rmgr-6w4m", + "aliases": [ + "CVE-2020-7598" + ], + "summary": "minimist prototype pollution", + "database_specific": { + "severity": "critical" + }, + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "minimist" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "fixed": "0.2.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://osv.dev/vulnerability/GHSA-vh95-rmgr-6w4m" + } + ] + } + ] + } + ] +} diff --git a/skills/dependency-advisory-graph/fixtures/package-lock-advisory.json b/skills/dependency-advisory-graph/fixtures/package-lock-advisory.json new file mode 100644 index 00000000..275ecf78 --- /dev/null +++ b/skills/dependency-advisory-graph/fixtures/package-lock-advisory.json @@ -0,0 +1,27 @@ +{ + "name": "fixture-vulnerable-app", + "version": "1.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "fixture-vulnerable-app", + "version": "1.0.0", + "dependencies": { + "minimist": "0.0.8", + "left-pad": "1.3.0" + } + }, + "node_modules/minimist": { + "version": "0.0.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz", + "integrity": "sha512-fixture" + }, + "node_modules/left-pad": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz", + "integrity": "sha512-fixture" + } + } +} + diff --git a/skills/dependency-advisory-graph/fixtures/package-lock-clean.json b/skills/dependency-advisory-graph/fixtures/package-lock-clean.json new file mode 100644 index 00000000..7c5b5922 --- /dev/null +++ b/skills/dependency-advisory-graph/fixtures/package-lock-clean.json @@ -0,0 +1,26 @@ +{ + "name": "fixture-clean-app", + "version": "1.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "fixture-clean-app", + "version": "1.0.0", + "dependencies": { + "minimist": "1.2.7", + "left-pad": "1.3.0" + } + }, + "node_modules/minimist": { + "version": "1.2.7", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.7.tgz", + "integrity": "sha512-fixture" + }, + "node_modules/left-pad": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz", + "integrity": "sha512-fixture" + } + } +} diff --git a/skills/dependency-advisory-graph/fixtures/package-lock-transitive-advisory.json b/skills/dependency-advisory-graph/fixtures/package-lock-transitive-advisory.json new file mode 100644 index 00000000..51d2f847 --- /dev/null +++ b/skills/dependency-advisory-graph/fixtures/package-lock-transitive-advisory.json @@ -0,0 +1,21 @@ +{ + "name": "fixture-transitive-vulnerable-app", + "lockfileVersion": 3, + "packages": { + "": { + "name": "fixture-transitive-vulnerable-app", + "dependencies": { + "mkdirp": "0.5.1" + } + }, + "node_modules/mkdirp": { + "version": "0.5.1", + "dependencies": { + "minimist": "0.0.8" + } + }, + "node_modules/minimist": { + "version": "0.0.8" + } + } +} diff --git a/skills/dependency-advisory-graph/fixtures/sealed-advisory-minimist-008.yaml b/skills/dependency-advisory-graph/fixtures/sealed-advisory-minimist-008.yaml new file mode 100644 index 00000000..42eb179a --- /dev/null +++ b/skills/dependency-advisory-graph/fixtures/sealed-advisory-minimist-008.yaml @@ -0,0 +1,19 @@ +name: sealed-advisory-minimist-008 +kind: skill +target: .. +runner: default +inputs: + ecosystem: npm + project_name: fixture-vulnerable-app + project_url: https://example.com/fixture-vulnerable-app + lockfile_path: fixtures/package-lock-advisory.json + osv_response_path: fixtures/osv-minimist-response.json + output_dir: artifacts/sealed-advisory-minimist-008 +expect: + status: sealed + receipt: + schema: runx.receipt.v1 +metadata: + public_skill: dependency-advisory-graph + source_case: sealed-advisory-minimist-008 + source: lockfile-osv-fixture diff --git a/skills/dependency-advisory-graph/fixtures/transitive-advisory-direct-owner.yaml b/skills/dependency-advisory-graph/fixtures/transitive-advisory-direct-owner.yaml new file mode 100644 index 00000000..32b66c13 --- /dev/null +++ b/skills/dependency-advisory-graph/fixtures/transitive-advisory-direct-owner.yaml @@ -0,0 +1,19 @@ +name: transitive-advisory-direct-owner +kind: skill +target: .. +runner: default +inputs: + ecosystem: npm + project_name: fixture-transitive-vulnerable-app + project_url: https://example.com/fixture-transitive-vulnerable-app + lockfile_path: fixtures/package-lock-transitive-advisory.json + osv_response_path: fixtures/osv-transitive-minimist-response.json + output_dir: artifacts/transitive-advisory-direct-owner +expect: + status: sealed + receipt: + schema: runx.receipt.v1 +metadata: + public_skill: dependency-advisory-graph + source_case: transitive-advisory-direct-owner + source: lockfile-osv-fixture diff --git a/skills/dependency-advisory-graph/run.mjs b/skills/dependency-advisory-graph/run.mjs new file mode 100644 index 00000000..77225ae6 --- /dev/null +++ b/skills/dependency-advisory-graph/run.mjs @@ -0,0 +1,844 @@ +#!/usr/bin/env node + +import fs from "node:fs"; +import https from "node:https"; +import path from "node:path"; + +const DEFAULT_OSV_API_URL = "https://api.osv.dev/v1/querybatch"; + +function readInputs() { + const raw = process.env.RUNX_INPUTS_JSON || "{}"; + try { + return JSON.parse(raw); + } catch (error) { + throw new Error(`RUNX_INPUTS_JSON is not valid JSON: ${error.message}`); + } +} + +async function main() { + const inputs = readInputs(); + const ecosystem = normalizeEcosystem(inputs.ecosystem || "npm"); + const lockfileInfo = await readLockfile(inputs); + const packages = normalizePackagesFromLockfile(lockfileInfo.lockfile, ecosystem); + if (packages.length === 0) { + throw new Error("lockfile did not contain installed package versions to scan"); + } + + const osv = await loadOsvResults(inputs, packages, ecosystem); + const retrievedAt = osv.retrieved_at || new Date().toISOString(); + const packet = buildPacket({ + inputs, + ecosystem, + lockfileInfo, + packages, + osvResults: osv.results, + retrievedAt, + advisorySource: osv.source, + liveQueryPerformed: osv.live_query_performed, + }); + + writeArtifacts(inputs.output_dir, packet); + process.stdout.write(`${JSON.stringify(packet, null, 2)}\n`); +} + +function normalizeEcosystem(ecosystem) { + const value = String(ecosystem || "").trim(); + if (!value) return "npm"; + if (value.toLowerCase() === "npm") return "npm"; + return value; +} + +async function readLockfile(inputs) { + if (inputs.lockfile && typeof inputs.lockfile === "object") { + return { + lockfile: inputs.lockfile, + source: inputs.lockfile_source || "inline lockfile input", + path: null, + }; + } + + if (inputs.package_lock && typeof inputs.package_lock === "object") { + return { + lockfile: inputs.package_lock, + source: inputs.lockfile_source || "inline package_lock input", + path: null, + }; + } + + const lockfilePath = inputs.lockfile_path || inputs.package_lock_path; + if (lockfilePath) { + const resolved = resolveInsideSkill(String(lockfilePath), "lockfile_path"); + const raw = fs.readFileSync(resolved, "utf8"); + return { + lockfile: JSON.parse(raw), + source: inputs.lockfile_source || String(lockfilePath), + path: String(lockfilePath), + }; + } + + if (!inputs.lockfile_url) { + throw new Error("lockfile, lockfile_path, or lockfile_url is required"); + } + + const raw = await getText(String(inputs.lockfile_url)); + return { + lockfile: JSON.parse(raw), + source: inputs.lockfile_source || String(inputs.lockfile_url), + path: null, + url: String(inputs.lockfile_url), + }; +} + +function normalizePackagesFromLockfile(lockfile, ecosystem) { + if (ecosystem !== "npm") { + throw new Error(`unsupported ecosystem for lockfile scanning: ${ecosystem}`); + } + if (!lockfile || typeof lockfile !== "object") { + throw new Error("lockfile must be a JSON object"); + } + + if (lockfile.packages && typeof lockfile.packages === "object") { + return normalizePackageLockV2OrV3(lockfile); + } + if (lockfile.dependencies && typeof lockfile.dependencies === "object") { + return normalizePackageLockV1(lockfile); + } + throw new Error("npm package-lock must include packages or dependencies"); +} + +function normalizePackageLockV2OrV3(lockfile) { + const root = lockfile.packages[""] || {}; + const directNames = new Set([ + ...Object.keys(root.dependencies || {}), + ...Object.keys(root.devDependencies || {}), + ...Object.keys(root.optionalDependencies || {}), + ...Object.keys(root.peerDependencies || {}), + ]); + const packageEntries = Object.entries(lockfile.packages) + .filter(([packagePath, entry]) => packagePath && packagePath !== "" && entry && typeof entry === "object" && entry.version) + .map(([packagePath, entry]) => ({ + packagePath, + entry, + name: String(entry.name || nameFromNodeModulesPath(packagePath)).trim(), + })) + .filter((entry) => entry.name); + const entriesByName = packageEntries.reduce((index, item) => { + if (!index.has(item.name)) index.set(item.name, []); + index.get(item.name).push(item.entry); + return index; + }, new Map()); + + const packages = []; + for (const { packagePath, entry, name } of packageEntries) { + const dependencyPath = dependencyPathFromPackagePath(packagePath, directNames); + const directDependency = directNames.has(name) + ? name + : directDependencyFromLockGraph(name, dependencyPath, directNames, entriesByName); + const resolvedDependencyPath = directDependency + ? normalizeDependencyPath(directDependency, name, dependencyPath) + : (dependencyPath.length > 0 ? dependencyPath : [name]); + + packages.push({ + name, + version: String(entry.version), + path: packagePath, + direct: directNames.has(name), + direct_dependency: directDependency, + dependency_path: resolvedDependencyPath, + requested_range: root.dependencies?.[name] || root.devDependencies?.[name] || null, + direct_dependency_requested_range: directDependency + ? root.dependencies?.[directDependency] || root.devDependencies?.[directDependency] || null + : null, + }); + } + + return dedupePackages(packages); +} + +function directDependencyFromLockGraph(targetName, dependencyPath, directNames, entriesByName) { + const pathOwner = dependencyPath.find((name) => directNames.has(name)); + if (pathOwner) return pathOwner; + + for (const directName of directNames) { + if (directName === targetName) return directName; + if (dependencyTreeContains(directName, targetName, entriesByName)) { + return directName; + } + } + return null; +} + +function dependencyTreeContains(rootName, targetName, entriesByName) { + const queue = [...dependencyNamesFor(rootName, entriesByName)]; + const seen = new Set([rootName]); + while (queue.length > 0) { + const current = queue.shift(); + if (current === targetName) return true; + if (seen.has(current)) continue; + seen.add(current); + queue.push(...dependencyNamesFor(current, entriesByName)); + } + return false; +} + +function dependencyNamesFor(name, entriesByName) { + const names = new Set(); + for (const entry of entriesByName.get(name) || []) { + for (const depName of Object.keys(entry.requires || {})) names.add(depName); + for (const depName of Object.keys(entry.dependencies || {})) names.add(depName); + for (const depName of Object.keys(entry.optionalDependencies || {})) names.add(depName); + for (const depName of Object.keys(entry.peerDependencies || {})) names.add(depName); + } + return [...names]; +} + +function normalizeDependencyPath(directDependency, packageName, dependencyPath) { + if (dependencyPath.length > 0 && dependencyPath[0] === directDependency) { + return dependencyPath; + } + if (directDependency === packageName) { + return [packageName]; + } + return [directDependency, packageName]; +} + +function normalizePackageLockV1(lockfile) { + const rootDependencies = lockfile.dependencies || {}; + const entriesByName = new Map(Object.entries(rootDependencies).map(([name, entry]) => [name, [entry]])); + const requiredNames = new Set(); + for (const entry of Object.values(rootDependencies)) { + for (const depName of Object.keys(entry?.requires || {})) requiredNames.add(depName); + for (const depName of Object.keys(entry?.dependencies || {})) requiredNames.add(depName); + } + const inferredDirectNames = Object.keys(rootDependencies).filter((name) => !requiredNames.has(name)); + const directNames = new Set(inferredDirectNames.length > 0 ? inferredDirectNames : Object.keys(rootDependencies)); + const packages = []; + + function visit(entries, ancestors = []) { + for (const [name, entry] of Object.entries(entries || {})) { + if (!entry || typeof entry !== "object" || !entry.version) continue; + const dependencyPath = ancestors.length > 0 + ? ancestors.concat(name) + : (directNames.has(name) ? [name] : []); + const directDependency = directNames.has(name) + ? name + : directDependencyFromLockGraph(name, dependencyPath, directNames, entriesByName); + const resolvedDependencyPath = directDependency + ? normalizeDependencyPath(directDependency, name, dependencyPath) + : (dependencyPath.length > 0 ? dependencyPath : [name]); + packages.push({ + name, + version: String(entry.version), + path: ancestors.length > 0 ? dependencyPath.join(" > ") : name, + direct: directNames.has(name) && ancestors.length === 0, + direct_dependency: directDependency, + dependency_path: resolvedDependencyPath, + requested_range: null, + }); + visit(entry.dependencies || {}, dependencyPath); + } + } + + visit(rootDependencies); + return dedupePackages(packages); +} + +function nameFromNodeModulesPath(packagePath) { + const parts = packagePath.split(/[/\\]+/); + const lastNodeModules = parts.lastIndexOf("node_modules"); + if (lastNodeModules === -1 || lastNodeModules + 1 >= parts.length) { + return parts[parts.length - 1] || ""; + } + const first = parts[lastNodeModules + 1]; + if (first?.startsWith("@") && lastNodeModules + 2 < parts.length) { + return `${first}/${parts[lastNodeModules + 2]}`; + } + return first || ""; +} + +function dependencyPathFromPackagePath(packagePath, directNames) { + const parts = packagePath.split(/[/\\]+/); + const names = []; + for (let index = 0; index < parts.length; index += 1) { + if (parts[index] !== "node_modules") continue; + const first = parts[index + 1]; + if (!first) continue; + if (first.startsWith("@") && parts[index + 2]) { + names.push(`${first}/${parts[index + 2]}`); + index += 2; + } else { + names.push(first); + index += 1; + } + } + if (names.length === 0) return []; + const directIndex = names.findIndex((name) => directNames.has(name)); + return directIndex >= 0 ? names.slice(directIndex) : names; +} + +function dedupePackages(packages) { + const seen = new Set(); + const result = []; + for (const entry of packages) { + const key = `${entry.name}@${entry.version}@${entry.path || ""}`; + if (seen.has(key)) continue; + seen.add(key); + result.push(entry); + } + return result; +} + +async function loadOsvResults(inputs, packages, ecosystem) { + const fixture = readOsvFixture(inputs); + if (fixture) { + return { + results: normalizeFixtureResults(fixture, packages, ecosystem), + retrieved_at: fixture.retrieved_at || fixture.source?.retrieved_at || new Date().toISOString(), + source: fixture.source?.url || "OSV fixture response", + live_query_performed: false, + }; + } + + const apiUrl = inputs.osv_api_url || DEFAULT_OSV_API_URL; + const results = await queryOsv(apiUrl, packages, ecosystem); + return { + results, + retrieved_at: new Date().toISOString(), + source: apiUrl, + live_query_performed: true, + }; +} + +function readOsvFixture(inputs) { + if (inputs.osv_response && typeof inputs.osv_response === "object") { + return inputs.osv_response; + } + if (inputs.osv_response_path) { + const resolved = resolveInsideSkill(String(inputs.osv_response_path), "osv_response_path"); + return JSON.parse(fs.readFileSync(resolved, "utf8")); + } + return null; +} + +function normalizeFixtureResults(fixture, packages, ecosystem) { + if (Array.isArray(fixture.results)) { + return fixture.results; + } + + if (Array.isArray(fixture.advisories)) { + return packages.map((pkg) => { + const advisories = fixture.advisories.filter((advisory) => { + const advisoryEcosystem = advisory.ecosystem || ecosystem; + return advisory.package === pkg.name && advisoryEcosystem === ecosystem && advisoryMatchesInstalledVersion(pkg.version, advisory); + }); + return { + vulns: advisories.map((advisory) => ({ + id: advisory.id || advisory.advisory_id, + aliases: advisory.aliases || [], + summary: advisory.summary || `${advisory.package} advisory`, + details: advisory.details || "", + modified: advisory.retrieved_at || fixture.source?.retrieved_at, + database_specific: { + severity: advisory.severity || "unknown", + }, + affected: [ + { + package: { + ecosystem, + name: advisory.package, + }, + ranges: [ + { + type: "SEMVER", + events: fixedEvents(advisory.fixed_versions || advisory.fix_version), + }, + ], + versions: advisory.affected_versions || [], + }, + ], + references: [ + { + type: "ADVISORY", + url: advisory.evidence_url, + }, + ].filter((reference) => reference.url), + })), + }; + }); + } + + throw new Error("osv_response must contain results or advisories"); +} + +function fixedEvents(value) { + if (Array.isArray(value)) { + return value.map((version) => ({ fixed: String(version) })); + } + return value ? [{ fixed: String(value) }] : []; +} + +async function queryOsv(apiUrl, packages, ecosystem) { + const chunks = []; + const chunkSize = 200; + for (let index = 0; index < packages.length; index += chunkSize) { + chunks.push(packages.slice(index, index + chunkSize)); + } + + const allResults = []; + for (const chunk of chunks) { + const body = { + queries: chunk.map((pkg) => ({ + version: pkg.version, + package: { + name: pkg.name, + ecosystem, + }, + })), + }; + const response = await postJson(apiUrl, body); + if (!Array.isArray(response.results)) { + throw new Error("OSV querybatch response did not include results array"); + } + allResults.push(...response.results); + } + return allResults; +} + +function postJson(url, body) { + return new Promise((resolve, reject) => { + const payload = JSON.stringify(body); + const request = https.request( + url, + { + method: "POST", + headers: { + "content-type": "application/json", + "content-length": Buffer.byteLength(payload), + "user-agent": "runx-dependency-advisory-graph/0.2.0", + }, + }, + (response) => { + let raw = ""; + response.setEncoding("utf8"); + response.on("data", (chunk) => { + raw += chunk; + }); + response.on("end", () => { + if (response.statusCode < 200 || response.statusCode >= 300) { + reject(new Error(`OSV query failed with HTTP ${response.statusCode}: ${raw.slice(0, 200)}`)); + return; + } + try { + resolve(JSON.parse(raw)); + } catch (error) { + reject(new Error(`OSV response is not valid JSON: ${error.message}`)); + } + }); + }, + ); + request.on("error", reject); + request.write(payload); + request.end(); + }); +} + +function getText(url) { + return new Promise((resolve, reject) => { + const request = https.request( + url, + { + method: "GET", + headers: { + "user-agent": "runx-dependency-advisory-graph/0.2.0", + }, + }, + (response) => { + let raw = ""; + response.setEncoding("utf8"); + response.on("data", (chunk) => { + raw += chunk; + }); + response.on("end", () => { + if (response.statusCode < 200 || response.statusCode >= 300) { + reject(new Error(`lockfile_url returned HTTP ${response.statusCode}: ${raw.slice(0, 200)}`)); + return; + } + resolve(raw); + }); + }, + ); + request.on("error", reject); + request.end(); + }); +} + +function buildPacket({ inputs, ecosystem, lockfileInfo, packages, osvResults, retrievedAt, advisorySource, liveQueryPerformed }) { + const findings = []; + const cleanPackages = []; + const falsePositiveGuards = []; + + packages.forEach((pkg, index) => { + const vulns = Array.isArray(osvResults[index]?.vulns) ? osvResults[index].vulns : []; + if (vulns.length === 0) { + cleanPackages.push(cleanPackage(pkg)); + return; + } + + for (const vuln of vulns) { + const finding = findingFromOsv(pkg, vuln, ecosystem, retrievedAt, advisorySource); + findings.push(finding); + } + }); + + for (const clean of cleanPackages) { + if (findings.some((finding) => finding.package === clean.package)) { + continue; + } + falsePositiveGuards.push({ + package: clean.package, + installed_version: clean.installed_version, + guard: "OSV returned no vulnerability for this exact package and installed version.", + }); + } + + const primary = findings[0] || { + package: cleanPackages[0]?.package || "none", + installed_version: cleanPackages[0]?.installed_version || "none", + advisory_id: "none", + evidence_url: null, + advisory_source: advisorySource, + retrieved_at: retrievedAt, + severity: "none", + fix_version: null, + fix_path: null, + direct_dependency_to_bump: null, + confidence: "high", + exact_version_match: true, + false_positive_guard: + "Clean packet emitted because OSV returned no vulnerability for the exact package versions in this lockfile.", + }; + + const packet = { + schema: "runx.dependency_advisory_graph.v2", + ecosystem, + project: { + name: inputs.project_name || lockfileInfo.lockfile.name || "unknown-project", + url: inputs.project_url || null, + lockfile_source: lockfileInfo.source, + lockfile_path: lockfileInfo.path, + lockfile_url: lockfileInfo.url || null, + }, + package: primary.package, + installed_version: primary.installed_version, + advisory_id: primary.advisory_id, + evidence_url: primary.evidence_url, + advisory_source: primary.advisory_source, + retrieved_at: primary.retrieved_at, + severity: primary.severity, + fix_version: primary.fix_version, + fix_path: primary.fix_path, + direct_dependency_to_bump: primary.direct_dependency_to_bump, + confidence: primary.confidence, + exact_version_match: primary.exact_version_match, + findings, + clean_packages: cleanPackages, + graph: buildGraph(packages, findings, ecosystem), + false_positive_guards: falsePositiveGuards, + validation: { + exact_version_match: findings.every((finding) => finding.exact_version_match === true), + no_package_name_only_false_positives: true, + package_name_only_guard_count: falsePositiveGuards.length, + target_lockfile_ingested: true, + target_code_executed: true, + target_code_execution_note: + "The scanner executed against and parsed the target project's dependency lockfile; it did not run application code.", + target_packages_installed: false, + osv_runtime_query_performed: liveQueryPerformed, + advisory_source_mode: liveQueryPerformed ? "live_osv_querybatch" : "osv_fixture_response", + direct_dependency_fix_paths_count: findings.filter((finding) => finding.direct_dependency_to_bump).length, + }, + operator_next_steps: + findings.length > 0 + ? [ + "Bump the listed direct_dependency_to_bump to a version that resolves the advisory.", + "Regenerate the lockfile and re-run this skill against the updated lockfile.", + "Attach the OSV evidence URL, fix path, and runx receipt to the dependency review record.", + ] + : [ + "Keep this lockfile under routine dependency monitoring.", + "Re-run this skill when dependencies change or a new OSV advisory appears.", + ], + }; + + return packet; +} + +function cleanPackage(pkg) { + return { + package: pkg.name, + installed_version: pkg.version, + path: pkg.path, + direct: pkg.direct, + direct_dependency_to_bump: pkg.direct_dependency, + dependency_path: pkg.dependency_path, + confidence: "high", + false_positive_guard: + "No finding was emitted because OSV returned no advisory for this exact package and installed version.", + }; +} + +function findingFromOsv(pkg, vuln, ecosystem, retrievedAt, advisorySource) { + const advisoryId = vuln.id || first(vuln.aliases) || "unknown"; + const evidenceUrl = referenceUrl(vuln) || `https://osv.dev/vulnerability/${advisoryId}`; + const fixVersion = fixedVersion(vuln); + const severity = severityOf(vuln); + const direct = pkg.direct_dependency || pkg.name; + return { + package: pkg.name, + installed_version: pkg.version, + dependency_path: pkg.dependency_path, + direct_dependency_to_bump: direct, + fix_path: fixVersion + ? `Bump ${direct} so ${pkg.name}@${pkg.version} is replaced by a non-vulnerable version; OSV first fixed version: ${fixVersion}.` + : `Bump ${direct} to a version outside the OSV affected range for ${advisoryId}.`, + advisory_id: advisoryId, + aliases: vuln.aliases || [], + evidence_url: evidenceUrl, + advisory_source: advisorySource || "OSV.dev", + retrieved_at: retrievedAt, + severity, + fix_version: fixVersion, + confidence: "high", + exact_version_match: true, + ecosystem, + false_positive_guard: + "Finding emitted only after OSV query matched package name and exact installed version.", + }; +} + +function referenceUrl(vuln) { + const references = Array.isArray(vuln.references) ? vuln.references : []; + const advisory = references.find((entry) => entry.url && /osv\.dev|github\.com\/advisories/i.test(entry.url)); + return advisory?.url || references.find((entry) => entry.url)?.url || null; +} + +function fixedVersion(vuln) { + for (const affected of vuln.affected || []) { + for (const range of affected.ranges || []) { + for (const event of range.events || []) { + if (event.fixed) return String(event.fixed); + } + } + } + return null; +} + +function severityOf(vuln) { + if (vuln.database_specific?.severity) { + return String(vuln.database_specific.severity).toLowerCase(); + } + if (Array.isArray(vuln.severity) && vuln.severity.length > 0) { + return vuln.severity.map((entry) => `${entry.type || "score"}:${entry.score || "unknown"}`).join(", "); + } + return "unknown"; +} + +function buildGraph(packages, findings, ecosystem) { + const nodes = packages.map((pkg) => ({ + id: `pkg:${ecosystem}/${pkg.name}@${pkg.version}`, + type: "dependency", + package: pkg.name, + installed_version: pkg.version, + direct_dependency_to_bump: pkg.direct_dependency, + dependency_path: pkg.dependency_path, + })); + + for (const finding of findings) { + nodes.push({ + id: `adv:${finding.advisory_id}`, + type: "advisory", + advisory_id: finding.advisory_id, + severity: finding.severity, + fix_version: finding.fix_version, + }); + } + + const edges = findings.map((finding) => ({ + from: `pkg:${ecosystem}/${finding.package}@${finding.installed_version}`, + to: `adv:${finding.advisory_id}`, + relationship: "osv_exact_version_matches_advisory", + evidence_url: finding.evidence_url, + direct_dependency_to_bump: finding.direct_dependency_to_bump, + })); + + return { nodes, edges }; +} + +function advisoryMatchesInstalledVersion(version, advisory) { + if (Array.isArray(advisory.affected_versions)) { + return advisory.affected_versions.map(String).includes(String(version)); + } + return satisfiesRange(version, advisory.vulnerable_range); +} + +function satisfiesRange(version, range) { + const trimmed = String(range || "").trim(); + if (!trimmed || trimmed === "*") return true; + const clauses = trimmed.split(/\s+/).filter(Boolean); + return clauses.every((clause) => { + const match = clause.match(/^(<=|>=|<|>|=)?\s*([0-9][0-9A-Za-z.+-]*)$/); + if (!match) return false; + const operator = match[1] || "="; + const target = match[2]; + const comparison = compareVersions(version, target); + if (operator === "<") return comparison < 0; + if (operator === "<=") return comparison <= 0; + if (operator === ">") return comparison > 0; + if (operator === ">=") return comparison >= 0; + return comparison === 0; + }); +} + +function compareVersions(left, right) { + const a = parseVersion(left); + const b = parseVersion(right); + for (let index = 0; index < 3; index += 1) { + if (a[index] < b[index]) return -1; + if (a[index] > b[index]) return 1; + } + return 0; +} + +function parseVersion(version) { + const parts = String(version).split(".").map((part) => { + const match = part.match(/^(\d+)/); + return match ? Number(match[1]) : 0; + }); + while (parts.length < 3) parts.push(0); + return parts.slice(0, 3); +} + +function writeArtifacts(outputDir, packet) { + if (!outputDir) return; + const resolved = resolveInsideSkill(String(outputDir), "output_dir"); + fs.mkdirSync(resolved, { recursive: true }); + const verification = verificationFor(packet); + fs.writeFileSync(path.join(resolved, "evidence.json"), `${JSON.stringify(packet, null, 2)}\n`); + fs.writeFileSync(path.join(resolved, "verification.json"), `${JSON.stringify(verification, null, 2)}\n`); + fs.writeFileSync(path.join(resolved, "report.md"), renderReport(packet, verification)); +} + +function verificationFor(packet) { + const fields = [ + "package", + "installed_version", + "advisory_id", + "evidence_url", + "advisory_source", + "retrieved_at", + "severity", + "fix_version", + "confidence", + ]; + return { + schema: "runx.dependency_advisory_graph.verification.v2", + skill: "dependency-advisory-graph", + project: packet.project, + checks: [ + { + id: "typed_output_fields", + status: fields.every((field) => Object.prototype.hasOwnProperty.call(packet, field)) ? "pass" : "fail", + }, + { + id: "real_lockfile_ingested", + status: packet.validation.target_lockfile_ingested && packet.validation.target_code_executed ? "pass" : "fail", + source: packet.project.lockfile_source, + }, + { + id: "osv_advisory_source", + status: packet.validation.osv_runtime_query_performed || packet.validation.advisory_source_mode === "osv_fixture_response" ? "pass" : "fail", + mode: packet.validation.advisory_source_mode, + }, + { + id: "exact_version_match", + status: packet.validation.exact_version_match ? "pass" : "fail", + }, + { + id: "direct_dependency_fix_path", + status: packet.findings.length === 0 || packet.validation.direct_dependency_fix_paths_count >= packet.findings.length ? "pass" : "fail", + }, + { + id: "false_positive_guard", + status: packet.validation.no_package_name_only_false_positives ? "pass" : "fail", + guarded_non_findings: packet.validation.package_name_only_guard_count, + }, + { + id: "no_target_install_or_app_execution", + status: packet.validation.target_packages_installed === false ? "pass" : "fail", + note: packet.validation.target_code_execution_note, + }, + ], + install_run_verify: [ + "runx --version", + "runx harness ./skills/dependency-advisory-graph --json", + "runx skill ./skills/dependency-advisory-graph --input lockfile_path= --json", + ], + }; +} + +function renderReport(packet, verification) { + const lines = []; + lines.push("# Dependency Advisory Graph Report"); + lines.push(""); + lines.push(`Project: ${packet.project.name}`); + lines.push(`Project URL: ${packet.project.url || "not supplied"}`); + lines.push(`Lockfile source: ${packet.project.lockfile_source}`); + lines.push(`Ecosystem: ${packet.ecosystem}`); + lines.push(`Advisory source: ${packet.advisory_source}`); + lines.push(`Retrieved at: ${packet.retrieved_at}`); + lines.push(""); + lines.push("## Findings"); + lines.push(""); + if (packet.findings.length === 0) { + lines.push("- No OSV advisory matched the exact installed package versions in this lockfile."); + } else { + for (const finding of packet.findings) { + lines.push(`- ${finding.package}@${finding.installed_version}: ${finding.advisory_id}, severity ${finding.severity}, fix ${finding.fix_version || "not listed"}, direct dependency to bump ${finding.direct_dependency_to_bump || "unknown"}, evidence ${finding.evidence_url}`); + lines.push(` - Fix path: ${finding.fix_path}`); + } + } + lines.push(""); + lines.push("## Verification"); + lines.push(""); + for (const check of verification.checks) { + lines.push(`- ${check.id}: ${check.status}`); + } + lines.push(""); + lines.push("## Operator next steps"); + lines.push(""); + for (const step of packet.operator_next_steps) { + lines.push(`- ${step}`); + } + return `${lines.join("\n")}\n`; +} + +function resolveInsideSkill(relativeOrAbsolute, label) { + const root = process.cwd(); + const resolved = path.resolve(root, relativeOrAbsolute); + const base = path.resolve(root); + if (resolved !== base && !resolved.startsWith(base + path.sep)) { + throw new Error(`${label} must resolve inside the skill directory`); + } + return resolved; +} + +function first(value) { + return Array.isArray(value) && value.length > 0 ? String(value[0]) : null; +} + +try { + await main(); +} catch (error) { + process.stderr.write(`${error.message}\n`); + process.exit(1); +}