{
  "stage": "vuln_variant",
  "repository": "fastify/middie",
  "commit_source": "git_rev_parse",
  "commit_sha": "e038188b33b9436e1be9f9d1c1920416ec6c18f1",
  "submitted_target": {
    "target_kind": "version",
    "commit_sha": "792d2f46ae68516d3122c9a4468a5748a34efb47",
    "version": "9.3.2",
    "ref": "v9.3.2",
    "display": "@fastify/middie@9.3.2 (vulnerable)"
  },
  "variant_target": {
    "target_kind": "commit",
    "commit_sha": "e038188b33b9436e1be9f9d1c1920416ec6c18f1",
    "version": "9.3.3",
    "ref": "v9.3.3",
    "display": "@fastify/middie@9.3.3 (fixed = latest published)"
  },
  "resolution_method": {
    "fixed": "git -C <fixed_workspace> rev-parse HEAD -> e038188b33b9436e1be9f9d1c1920416ec6c18f1 (tag v9.3.3); npm view @fastify/middie version -> 9.3.3 (confirms fixed == latest published)",
    "vulnerable": "git -C <vuln_workspace> rev-parse HEAD -> 792d2f46ae68516d3122c9a4468a5748a34efb47 (tag v9.3.2; .git is a worktree gitfile under the fixed repo's .git/worktrees/repo-vuln-v932)",
    "fix_commit": "61d90cd0f578367283b486cb95f3b8c14bf3ddbf (present in fixed repo history, 'fix(engine): preserve encoded slashes in middleware params')",
    "companion_commit": "01acaed3b2353aef4611cd534b6a7267ca215227 ('fix(engine): reject malformed percent-encoded paths', same release)"
  },
  "find_my_way_version": "9.6.0 (both workspaces; provides safeDecodeURI used by the fix)",
  "node_version": "v24.18.0",
  "notes": "Source identity recorded for completeness even though validation_verdict.json is a negative result (no distinct variant/bypass confirmed). The exact fixed revision tested is commit e038188b (v9.3.3), which is also the latest published @fastify/middie version, so the fixed-version and latest-version checks are satisfied by the same build. The vulnerable revision tested is commit 792d2f46 (v9.3.2). No repo checkout state was mutated during the analysis (read-only use of the prepared project-cache worktrees; the reproduction script embeds its own probe harness and never runs git checkout)."
}
