{
  "repository": "https://github.com/sigstore/sigstore-js",
  "commit_source": "git_rev_parse",
  "commit_sha": "f074710a91ea9260a9ac2142345634579843a3cd",
  "submitted_target": {
    "target_kind": "npm_package",
    "commit_sha": "7845532f9d17f6f765363dbee82b01bd159fb52b",
    "version": "3.1.0",
    "ref": "f074710^ (parent of fix)",
    "display": "@sigstore/verify 3.1.0 (vulnerable commit 7845532)"
  },
  "variant_target": {
    "target_kind": "npm_package",
    "commit_sha": "f074710a91ea9260a9ac2142345634579843a3cd",
    "version": "3.1.1",
    "ref": "f074710 (fix commit)",
    "display": "@sigstore/verify 3.1.1 (fixed commit f074710) -- bypass reproduced here"
  },
  "notes": "Both commits resolved via git rev-parse from the cloned sigstore-js repo in the durable project cache. Vulnerable=parent of fix (3.1.0); fixed=fix commit f074710 (3.1.1). The bypass is confirmed on the fixed commit."
}