From d9b6ac15d6fd7c0df12439bc2d76aa6a3fcea5c2 Mon Sep 17 00:00:00 2001
From: Fayz7 <amirfajzullin5.com>
Date: Mon, 9 Feb 2026 18:50:51 +0300
Subject: [PATCH 1/4] PR template

---
 .github/pull_request_template.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 .github/pull_request_template.md

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 00000000..e1aa7d43
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,23 @@
+## Goal
+
+<!-- The purpose of this pull request -->
+
+## Changes
+
+<!-- The main changes introduced by this PR -->
+
+## Testing
+
+<!-- How the changes were tested (commands, scenarios, checks) -->
+
+## Artifacts & Screenshots
+
+<!-- Links to reports, screenshots, logs, or other supporting artifacts -->
+
+---
+
+### Checklist
+
+- [ ] PR title is clear and descriptive
+- [ ] Documentation updated if needed
+- [ ] No secrets, temporary files, or large binaries included

From 715ade984aaf7695bc78e48bc8e1ec654b3e631c Mon Sep 17 00:00:00 2001
From: Fayz7 <amirfajzullin5.com>
Date: Mon, 9 Feb 2026 20:41:42 +0300
Subject: [PATCH 2/4] docs(lab1): complete Lab 1 submission

---
 labs/img/juice-home.jpg | Bin 0 -> 67406 bytes
 labs/submission1.md     | 183 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 183 insertions(+)
 create mode 100644 labs/img/juice-home.jpg
 create mode 100644 labs/submission1.md

diff --git a/labs/img/juice-home.jpg b/labs/img/juice-home.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..caf9f30f7d55d6ee564f754e22f10a5ef5fbf841
GIT binary patch
literal 67406
zcmeEu2V7K1ws#X16p@?+6a^$pMxu)3+~h1Gp_`nQXd)-c86?w0fhH$Gat_@@0m;yS
z<kZmcHO|b=ynP#H_wD|6-}koey;Y}9)va6guX9eF8@eyXFTMe8%1g^h128Z!03XmB
z;9?$QN={PJSQV%uEvG1jE&u>9dI0Ev`3L~8v2}I?$~?KPqpNot@S9*_>SX_$>>rcp
zHV#Jt=okPP;ZSqNA^hVCe<hFSh`u1Y&NliWwfI3}U|-VDf1)WbX*XwkXLMiLFKJVI
z$4mMVn!fI+0hC13ifH<_#c$~6zoB24IhmsCSflG0|2j6iGyp(o9{|9L_?7oO767R7
z2LLF){>r<T4ge7P0sxgGzw-7}evB7`yv5n<CAu#FfHK!(fW3*M$t4ZILLZps<^aHM
zE&xEF3jmM|0s#2>KlS5B4IC#l&_AeuTy!x7kOW|3VO{RnSlBq&*f_ZOS8&mR01y8v
zJ|V%)n}h^}H;70mNr{Llh;I;*-6Er)qN1Upxk*Y(PfJZtNlin2*$4(U4h}93?)58I
zu2T~c5>fxn;i3gVbQKeZ1Hi&y0ALbfU=d+lv;uCSF~dTO;-%32958Wku`sZ&Tt$~s
z|0wxwApiptJqp~5Nx*e13;^a$tefabJS)7?h(0-j!syYqw1mlSZfB%H*WI=Cs(v}5
zdru>Xr5{saqm!pU<^DMdU5CUo;q(Vya=S(OmW<4Ub8d2L$Qu-!`2eIX@2uP&Mrns3
z4SgS<?hsz<R^?|z;G!)^iPq0zOQozwVthnvNLjy)9#}k|s0ms!5ueSkTh<3pcyfRH
z_zNt5EiHr1^Z9y7jO@|vuMC3AYL(+ZW!HD^5A=(oyqjvP*4Sp<SH5{I{I`9+s)t*5
z>0^N&e#O6abl9tXdKCWV*FDs7|M)WifYWiKg3h}x;CSY&+y3+dz<&R)A@!%qi9-Tj
zdv&yozDhBpJ1KlK;^aGhZihf!0PMy*cDybCk>-3e-gWcli9Q9hD;@k4x??Lvc3u|b
z^^I}(!xNN#3v`~}k*C~jY`lE+$<S+!<eCk$X=x=T+0Dh`b-ck%d40mWk3RmXEB}T^
zL*>wCu1KHBymIEF<0pKsq2s({gv_R=+1NgzH+HNLQb(*I`&~|?d^UX2`Yb5K*GWst
z7fSDU22hYL?00%wcgQ`ReL%A{a43QG-FAy-)Q8O{MqgF?Jafq_Q68M8owlDJQiU^$
ziXTW7fb%t2S#+@M^}I^jDbzP!Ixfy%A!#?vQCL7SP5_4;%l$IhKu)>G<)8X1HKXYb
zlX?fb7E3dada%&8>n{e}OwKsBkhy)XK4jIBSd<B*&0=R{X=sJ^q4l|9oiNNxXs&!N
zO566XfKQJ1V+a1mF8lr!y$e8;zzjc?y*y9ZZ2&+tB-Ji^fB!g*_xntHdfTf<UTOXQ
zxvhWkx__n+Pg+WZV}(!|5<{J%0ZvfMH<SMViOh{exJS`G{}A+q<!TngzdYgHeE|SO
zN-;{^A$<=dlKqz@6pfEq?GpeP_mydusXPCSX#C8^eEQdWS}*!b8_GQ4;&1qpnH~Y;
zN&HSiQ_Dkayk)x!trgexdwcjK3}1{=L+pzL`TC)>>kr@_RMJuNtkjK6pzIiP8cyJ1
zk|IJ2Dq#|7xooaQeh?4N<TT7<GV~ej=VKk<YY53S-Rp@3u@Tqg2gZT2bzO6SOVq;e
zkEil8`G%bG$uodUdU**h6)6ekY2!W6>E0-H{;m>Jv%7}vJewA68U*2#-CQ;Wl+$KQ
z$9IHujL!$?2e>lV^V>5QgP0O@V>UHB*PG<|kA}^uh2JfJtnlF-U(L07^95(qL)_Oi
zie&EhbDof~L82A5z;9exC_Lvg>{A~77&?1*8=M^nL#SI6i9P%av{iXlf)wKshpRlY
zqi3XdE%wZ0hBCVeR=z|~2nr2B%>3fMK{$&ank8NUa&Lsnc)oGf9e5qvq={Kc+@4)q
z-&zQF=*!fdqBe|UkKouS>z+JI(6Byd??h1urgE)noB(ZXBm}5asfLORvZ)JhF;rAI
zcaEQ(m_UwLISO~XM~*r}ofzWOJA{-h3>+)P7l4SB2;J(Fva4{^xJl_!6#JZzZVoE^
zWP-L3OjdHb&En>{gFU^>3jeeoq)>ZwRYIx*PB6{+GBN2EYvl#NZAJDJI$nz8R~EHB
znZH)Q5FBaq(sbVTyARt2I5&iI%I^^~-oy_$Fz1sK+1Ku?l7wUqd{kn_`v4$*Ki6nd
z`1(ibpNlXyJ~F*d#I(fwOUVh^srf1VDr=0ya%7SJ9M|QCkMw(*mcREA(t=j+zdPWe
z&lbg7tzO_8t}*2s4jGZ>Rl48Dm-)Y&9IK2m3QG-L6H<Il=P|ecotwrdYJu=d^4|v&
zzGra(+o4w(UH=*yt-V>o0=s~zvoy-V<7$gUi8QT<BVD;PqnFU&rpmJQHLAn9&>GjA
zINoo@{pCf9Y&^q`LAY=8RU$GD*M&yBkk1osUs>qsjv7uW@J3tK6kU6~BV{T#qFATW
z!n;}3RuF3`^jw{jOP~$P)7Q^co8wU6TjMt3mAp(rtfv)~Vljz-Tw=q@Z<&~{%Qgv?
zJ)ypFxJ=yziU6~fvy!{!7-lT17IKgXG#xl?5>DGb_5zzyG;x}lJ{~T&%kSWcNVn2m
zx&REBn`EwWnq;0rJGkZ&q#KZId`+JW-kBO%#C>&QY3KPBD9rYPIOiZ@43!wTnfE}Y
z<izw(pdQ%lT!QMAM$^1fks{)@ehM0L>rc0-2m983)Zfpd78b{x&Awf=n-yEX9^tfo
z7F4sO#Z{wDJ~EkQ4Pw=IIYo@esvhGEH1CF&Z)It&P)E+}<xohNgS3*xnJgxbhOa5_
z2i5q>A~*8<r&;%PUm0*(y<|X;5pb@bKepTTw1jHLE|alwG#ZDJ^Au|O&py%@u`Vm}
z4!WnmQ!MwYJKg5MqBC;Fxxm6oIdVM)I28bk+zM5*sRc%!mn@Q_Ea4UhYK*lDS{$0P
z*B5^sFug^4N!=XaHOp>oVadc{r-w)`-UqA!Pw}EgdWT(4lW%*kf35sCP(LGBD>*Uo
z6N1+W!xg@y2rqSz_CzSw{O^mBm#j3`*6)nS{THQpDf;bi0OdDT)t6j!jmtMb9J(o!
z+`f`}?4|E1J-c|^?%(!Bbm$BT4X^E1MDDd^8KNrUjFA?T-vyQ?6AcF5_z3q`JSgmu
z>%LEo4-uCRo^lEmoGl0f)hwle+_iKkJE-#XP_;FqX+bNov7mS>Zw03!W}$&1RAh?V
zWbbavjKP<!3SJwTp}KG#(7iUOkAOx&@j<H9xq_1opW@^NU_&ueYOuE?;z`5ti(_g$
z@QNPzdOrbIj}60KdYU1MDA@qtA>{RMM)C{!yHqDe60JI{L_eucplu#Gisf2n=C@11
zwOP<mFmmavIrf$^*e#%_hxC9pfdYIkO2ViE>mK7K0r;>dne6F#qN9;#Ok4Gmj>1D&
zaCp-Lcv*@%VR1`@SxE&8`bIN8wn?y^Lp+fwjtF8t<)K<OqtRBK!q5}$zhq{!=lNvb
zIoL*=j)m)?21m7eaHA$ezvk2HkA4}%Z&HjyPw=Vt?W>q+Z28@&G;9CzTC~$4dh`V`
zHFreM+)hU*^qbm$14(*fsHMGenkAMJ^}Z8hrSayc<NdD>M>vxo4j22ft^)tJMSfN(
zMcM^W|4Sd_C(CgcZLt2QmgB$KUTS)Z>w7YLh+*+{7T)#oB8IKa!rBYKi1?Ue6+0Yg
z?s@HG)CJ;euBWW_Xi!sbmk(GafL?&AbCObZM`K;$T%qkCz3MGp^T-0;Z+3ZZPMZ{C
zR7~NW{ly~XkKirqoI|i>PbGFX;h}NF{N%%~1TWW@swL+|Wj$-sUPs1M0`DdV_;}+4
zMs|36M4+9}dU@P(-<s?T!1eAwtq^FDC>^eGle;gABd)C(b1FVTXyH7^19-LN53g#q
zIadii^t8K@I;u%9Te6WSH7o2}xsy+hc&pzZUCXMB$FU+`Im7?7V#Odh?cEZEXg=Jd
zJGn9yes6qOqoTOU%!%^!RFk8w@T6@^*gQ^rIJ;`WAXrMT2Tv>GJne0XkS6(hw~1u|
zvx2*{)=oa?0OfKY$qtc9n@R(v$J)cICQ=w-s}ZmIlMS69<c5%8+-HAUhQ$X$jqO@7
z0Dr<_i7zZ3e`#L%)93v)?$3JV>|b7XsaN|>$cMZlLRlO0B0^#Pcgq9*jR`uB?@-dq
z8?ehDD)#bUyuDhz?8l{Vdl|N0E;`%Oe!b#`G5y)?-+`E&O&eK#V(}5(Hw?5dfKJdV
z@c!lD{7amou#K})XvE1(CNDD4+eZ_b*4>mOXhdmOXJKctxT$n#w?Zo@$h^cgxEF(d
zGXDDlt+3Oo>}A!<dm?lo6x$A``>KM0l%OAo^=?S}Tn_P0J8@iDpLiCGWLD|xLMHog
z(nHV>*}@rTy^NDWk48>fUSFR1I|5d&vKQWEJ#4gQqXWiD#x0N5lW7@dwJw;W%dM1u
z2jVC<w|rOT<7M}Lo&b!MCfywg3*O@|hYtU<!z)s6DbOmGq2@W;pNUL6kB5omWdsqi
z*5?mU$=?67Ljk)&fq0Bv%CS}Z&qVE4+I}bmCfclA2F&5&A&H{)n%6&abc6;TmjuQM
z{i08?w+#Qcq#t~AbPMSuev=t54JPb4nlX>pjQRPO5&)p{0w8(;kn|Dlb0m58GaHj9
z(C7z=cHw@cdYY5W2i0Q_E;Dp=Cy8fP*{Ix|LWy;+gUIvn<MSD+eW%yxGH;m^`t`Jk
zzL!j&(YecTMLc=nJzk5&0aGSd-d!r`Z=8>Q@Gm2*yJveSg0nsTPNmmBGp}|tzPu#=
zFr6T6%e2u2gU^?|o+6X8m{aBjiE;0~T_oz|&dNtL8$cg%E`wZIbTY#GbeTm5jDcL<
zIW$Trxx604)poV&Yd`emr^3H^z-ASc1QOWiHRlHBSz9GCNw+WCxw7aJab9zBYwYdi
zi>@ERX|4D8Q8JSc5X^&o%N=ct`J1~D9*F^o!Px;`gZJaVR1e9}etk)kyzl(MB9Czm
zMA`E90<OF{v0D<WK&hT9+MvwO73oKPV!R~{3#!gT&jl(+kbP(AO$!qCN8z?qmnRaU
z2Xq(ZwEM6G`wwlej3jKo5mG$Qf|(s)o8JG5(|P6HSSqpS8DT?GXs!8+L^Hurug+7t
zdb-zt+caSHR_5*)&UQ9=pRFI2*u@DCJv?zLy4iouhN3u|Zc>ig@9kLQP1W8WSR3fI
zZ5$Yth`#{joXu>>+(KXJFNtPiNaM#4GnzL$2B<W_`LtMfeiTK(nZM?Uu@X7*0uZP2
zrTPLOJF$#@57C1x$@gJ#Jg+@=@QGnWX=+yOHEgXXY<7G3QQWQfQ8(}*+hFp6c(r`@
z9N&Kgc;S=klirkSUh}JbP(3ZVgzgtZ3gBSfBtd?)iYF9X^z`Yaml*m!^Tq1;)Z1sA
zK0E>S=J*)(Zac|rts3Sn9*=rkvd5itUUcq~k(#y<Zpn4-ec9Am_^!m5#NEVgrPt#7
z$J7$3dQxd)X87xKiO18>N;7)nndk!X-Ql4BrV$Iv=X$8zlky3h3xMIcr6_G97i7gB
zxYus9w`$}Rm-u0mQ14JYYp*||<W;x!!|<*qFE^h%K2Oi><PJ`Jv^}U^)&Ov2PF9dK
zC(BkJ{-E<j(em4u{rZEk7*ttzD1Ij7zq4hEI9OW+U^T~OygdQZ!)u+EcCY?40v@Yo
z0jzy2-I`2Z8*fK_(exD4CT+ox#=^L3NDRoy_3Nwb7`@^*ndo7OuR|2V`<jvoy_=L!
zttY5DM{%nr5~o5Of1vZWQ$*mf*R8Pn`c=o(-XtGBqqK}Aq{aG*e=4)QoWoi_dPd}m
zpZq~_p0a(u>?xi<`o$#QO#lWK78V9BE+*#X>q|5r{azA-lnjT6_zo@!`RxZhH@W%v
zAKCM&GCaF`?=j;O0rV@&tLTatIGAU&eg6glWmxNur=+P@S^G*qXuV|$$jVs3wIFY&
z`C#6Qj(=X0KU-qzG#lRJE6(2GD5ae%9(@K(EK=cFbR%FQX6}QfS1yECNv9kOz$xS(
z#OWLl!9kM-Hb&uVP52=UVZytqMjtCiZDZ6G&iNh%O34PbGL;4>a6+=kMoa}YKKtcw
z+wx%-u>e0L)=%F@5kV6<8}>LDVq6s@=2-OW&ZqIXM-L1nmB9q<W-V#da1MR}NKmL6
zsba}{!|(h?8p*&qErX?Al?WA0+2dB26)i-#<Yh-oHe0EZQm&l3$8zUx9C;qx_z4lD
zHr4<><G=;xl6Z=+%hrS?>nFG&iZ1{~FG>=#iYp9a^0HFFTQM^N7l4zq3&7Nn9wT^k
zx?uNK<^bt&GmOTj{=Mt!X}8zxJJu((iR)Z)X9P`8HrFP^b^o*d{Rl`PHmlb7P8)>S
zM~l@6gu@QSGb)(!wAZjt8<^H=hZC71M)O&?SN-|3hPZqhj+AW>yi^lp?$-nM_n4=5
z0{pZ#D-*Q@QYyTCNXN|77o(X19a;s7Y&^5qBJ|W>W!o|4s3|??XA#j1fd{iFdeO)$
zINSx7Lg@4@p(81<o2L)HRt<er>}*7e<R-cn)<CqIMwY*5Fh^i?j<6d>aZhtX%!(c=
zm>ZC_Ws5uJH#{U>=4VN;2ky%yI?ij=s<@)>>&iiyqs2m#iN?q;1=5jIDKnYZ<|Z~-
zZlrI@E9j**WL0ThjUeObabw*qm|kLN&?ci=gmb6re7!P?7}A1ChPyBZRd)K<JRN0V
z;9Yy0I#(oIcFp~W9{aRW*hV9PcH@n5=X{A<M53n6SyD#il8c#RQnn2Pb-JuVqCZNB
zhnPi}@5&Y<IIoB;PYf@*_j?5aH-YlouWl51G64vxAs*DQmEpRf*p%-6cPPpxyGB?_
z2+`*g4|~W8)(<G8Dx=V0$z}A}cdkV*%@x@QIC=@JP<wFTN~@KvcL6vUqT1*$&gW9Q
z0O({@m+P4iEz_AfeC4A`TI+#Vh=e|IjK~TRZ?yzR(82|vOaXfLgZ(Nc`*`BZ^c8GJ
zEC|G<?kYZg38f0B?$LjhUmr+Trf>ivo;4enKu<A8XJW>}5U<8**ua8ZUH%hIjWG_v
zpcqX!#O}eAa#0)`2coe80<X9;YS}tL<iFAtB`@n5az+_{W-=CwjDpB3xWprqv;6O`
zk7UUzkkE&S-I>6rhGjp9TM}a`mUUPxmJGIOkXDx)UQ`nfu1$`v(c3z&kl)nKdU!`t
zg~N9Q%IoT_P^P`s3cuHK&&uiE-QF~}%)R^3s@X((>F|%hb>Li10_rxJSz6T+1kuzq
z&WifpS@uGQhn<T2dN8ikJBH?nXPuw^!}y=z@j2yjsy@vvWoDAV)_Dh^<o^|fsR`)?
zKw@O|=sZoPX&)(eZW#LS80zzmPDu7pY$|pUbQb^yZy&^0umhw$mpb`>mL%C6?;oBJ
zZS69zoENAd)c=s%e*5*xe8w$ZJ$GlpSABlfDh=6g1lo_>L+5HchUq@USSka{GIMzM
z_G1z2!oq3KYqcqne9m%7e(Eu9lCStYBpsl#!>oO`n;R$xNB2NOaOt>QzIf%;0!ing
z1S$PNLw$Ge52;9X*(Y-?PY-X6Q00C9P#M`Dk}J*dRY5DvgiQCwYFH(24rj<*G_$;3
zTI)u8C@nE_Lykixk~cJ+`Z;yv_qY}t=dkEuGI@nSoyeIXFkCYuKimX1=eHPSS)qQ+
zY`LeW?Y`k>`6Ut>`?b)97MN%!KO^v=g&r1{2{D}{Daw%cTjvnT)U5sdPPfNYN_{ma
zr1ma(P>YkyeB!Enjh5dgT>@S#U$w9e!f51{Nult~X=gK4W&iH{5dn2~dQ^y^;gkKv
zA?sBX%%87S{L3d;FW8gMvac6*YvU^!ABsc<dJIe8cyL!PpD&Qjw$|e17h$$y@leJU
zoKKZA9`Yah=!RcBn1lvieLBtcHhDOuVA%8_*%+S%5Ta@rD2p`Rr8Y{?lyOt^N_SUZ
zWqfKNXl|J=I~sf1SC!rAlIz?s*;cz26rp`@Z9obv9=q@7z#}w&@5p*}*C>Zo#`!S%
z^uC+CSB7-*#*4rc<aTBTaQSf-(;4*V8Q%`%i5OSx2I5yhh2>vyiO%HpD9XY0BjXNk
z?5yy28!aYCZatilh?QD!U$|fBr7Y^aR!)Sk@BT#%2OJ<-#?NE`Jm7;kFb?x7Awoyl
z#iU|cQ*=|=MibOQu&F{{L|^?^FFj$Iub>g-I9Xt(GKhms+ooBsP6Wi7;lk`9wDZ+U
zOa9(nHA!`{f}Aq8g3`WF-S@?uIj!!G6J*Qg5P2b!2RWzN2qKY#by=??7ryG)H0i7q
zHJDgFLioKoquH7djXEesbb;Da+C?LMebnQ~MVi(_Ej}S^L{o~fyqIr@0vJyHDJMtZ
zV~Sxs)I;5_J^{jiyEs3n+m|y!nx7AN&+u_<jG<v|wtJTIaAFJSVS`fTi=HG}`wVbV
zN6=vb-J|8=o?<p_(^OsBGeg5l5+zXdP=jIhg5G<fVU{A^rxpCbWVl&J1W($Hfm%No
z*Z6R9{fg;n?tQ6bSipzqA`?!25*^U{T=ggSsvyvKc-#fRt4no=(P_S13c-DUqfbk8
zl&y#-!!tN83L-UW9cx1qL3Zp=;d+;f+yj9aLcppl_w&Kl#?tVNPa;gWV%G~~9Lbf%
zh;sXFix4&$;?ZrC#i4>4U`c-1bGPk0|C!>PDXXNs?A8Who{0n=k<zDUC@-;5)0#Xb
zJ5{@$UkwQK450<d|EeFeWY|dhs++kxEp0)4YEh=CGc65SxpFt6bJ6kPtuUFtPJ~_n
z=u&4H#Ll0hJ#P7t%Qku%Zum>453V{3)BbxCv)$o7Yx^D-0F}&Hq!-$@qL+db8kLvJ
z+_>E3loKJ=?E<DW+@bO9y{6{>Vf;=!<o#{a(BdGQris)BBJKVXxgGXJom!n}R06B|
zY3%(kTaRs^qxc>x&v^#-rS)ltBPVI!PT7dy<wWrNeJ!-?vf;_d9#$YVQEq-hQ;1t5
z8xp549iJF8q8ih$0172hQGBl!H2Q=xERg3pw6;VkgZe|;ErrSF`U)SYGfFr1a-vhO
zWw6NhF||hwp2Gdcobx!eqI7I|3w)*8-SOF2Yo8PE-o7);YkdUrm&psb`qGt`FO)9Y
zmeF+dUFqGSdJls_k^#E0hiWWe)#X)i^|p+(ViQ?bi-z*-ZE1>=C)sp3U}a|Ail9n5
zb5Umr9i_tdO5dWZ^@XG?&fu62i?|(7DAZR99N^8y#X+sf>YpjlYd(K8w3hv`ICaGN
zlaeO67`-0fp+Uie$yf3tgKfGagPW9LUo~}d7T&%r##GaZ7(7uD!>1XUbg!^s_38{c
z3VI8dxy>&nf>Sw|$D$4i7;yX^8$0xDj7i6YEDIZ=_Z$czdq3I1*P2uDdeU#)q;lqU
zTuO1O9~{Dnm${$$;Q}B|k0T-$-MR-hRzhoT7YU;Ax@-X{*ba9WU+oUE)BQBq1t!(M
z9MiudW3DzIRn2f3?1m_afq|vtx)u82V<3^YY<Z&@E;!kf%Gxgj8zvWfsukRQ^`E2_
z8Eaesb`_WI6=zpBNP%hNWY~1O3j$-|#E|;oY#`(*bXeF-t*k7j&E3~Zj!;XoxU-;W
zM6LJ$R#2`!I_zj*87d{41&Xnb-O~v85?JWA2-%&lJb+mN%j0ws$f(FhgOd8V(+Vv>
z5Ql6yc!anv%Wxy9?R$}AX8%$Dh-wioGvxiEtNhFo!(ohrqehKj_w-uy%TBFqWF4Y!
z(f@_!XojMOlpt>q8{0X*?04uf=aFp_|MgI%Z^IRwI~pm&k;j2BS1vd-fkx6?N>`pA
zCnFjLP8`ydACrjD&eMVxE@^fve+%kcp06NdcQ>PB5z}}j><df^TTux^nL+{)CJ$*N
z6Y^z?6r9J@@>><>v~!N&UaiA|E2RvjZCwS0CoWt$yLV?70}qU||2r8xti5Kauyz)3
zbRuyWnVRl;@}KQ@AaJ~1;Dom85m2`<Q&m%a?xOh7UMq9{a_Wgt>-Nh3Fn%W<FFL(i
zMA4$h;Ppca>;DqjB0``DQk2m-yD>+slS$ZsgZ?oM%T{VokK~XpxOfd@!`Wg(Ac9vJ
z!5=&Q!;WV%UfOZn<|ov@wc{VqcHH?7cAV-rc6{Jv9JEy+4sGg8CsveLL@AyEgKhXm
zCc<Xz8^kK59xFJzUX#<n6*-!HHzW7d^;S@x!)j2=x43k^NPLjI+!GL4UXh#p>nXm-
zw!7WlG@yH>vRkGsWhUu(1!{wV)@uGV&xPrvll|8@sda2`@pa076lmsTV|B2n&ekL#
zlQ$XSGhiAV`H%^Bc*gJqgi~9VXAR-1qPrV;N1(@=TSm_olT<KQt;3<{s2-SWIDBZ+
zSvb_zYF<1_!j^5q6vm0AVKABqBFm<IgX$G$b@gBgT!u9!b%y&yGQ&M7Bed?rW;W{%
zG(MnSh<UY<!N8nue8q0UBD{?(B5%2>Gf<k2wV|@ZM<4boTqe;L2f?40@)+bA6*I$N
z=UT&4OgxjWHJH1u4VQ3Xa*Wglel^OdxY3gtgEmmDJ>Wo%84wVnk)dbV!lZ@=w(wR+
zQ{F9)(WZ*7q>;`-s7Frl$L6Q&y@hFk^Yd)887Doml;>j^)fW4_!xh{eQx*N!?>NK0
zrhAu8z#YSzwAVl6eLaB2r7A>&?OeMnI9)tc)!UFY`R>s{Dw;PFzTPZ)lAq~>m}JX?
z8Jx>`AsY|2&a7p><MeN_MQW`jG}}DXGAPbG=Tuqd^s>@KkmYOUZOIR48fnyWu)5s$
zNA(c1-7<&~8i@Og-a`YUcMPmC4UJ*c1pvf?ps<Vk&-ObI2&=6U%|m;+GB20^V-x@W
zC4ouuJJC-LQ<FU67vJemlZ`|ZU{m?$!X4k#-pf4?5#J{tOl(&1+}F~h3+mByQ;-C?
zl30Sql>`C{D>qH06+kgmT*NvG*IciGz|F<LyNshlIZWBk%fmHYwh<YiwGTnudYzKo
zL#&EgahhuoNg&l0@nNFh@FH$rp@-;NcJABNAYjPQF*q!ukAonWG9{~A`c|b~LnsCp
z-pHUJVS`_P>Qv}MvRG5eY~snxVfkBOajVOT!}x1Scb0*HH`X8u%8$T7pRA%3ANUXD
zrX$Cc?4nj}2(|D%4w`M)#}uBZX~hRcf3Z<)GvjKY=C$d{!WLz^#)bd3+y6GNlmr1Z
z=Jg~Sr!XZ2Z5)JNNdXGRC!M}CG_JVTsjnh!mS?{<%a1za{3~X#j4f}>Y#@KQ=D?6P
zX_hpljbe)7(hdd%pzYxLr5&6PLa-K*<Z*E3IM%f)eIH{oY|)3YPLiU)$lUK){d)2U
z{a~1Z>PEM)mSg_BS;bQ=J3bcY{O1Z9{8bz_VSQT=CAn@w5$%-XO!?}R#~Ml&L&`6v
zxvG?A&(vs@NT|W{j5SuEs%*6p))n_SaGVvyPGQL{2Bum0BvU<h*zSHDX|X~lOz}IO
z!ORYqgmz@_%yMX5^DF8>Tkxc$)7p%Pc#NY_x_tG<foQC`TLH{iGG94ckC8eulF5a*
zJ}P_b7-)RPA?i1TI{h0>UMxcDS`E(Ex8EPT-LCs!*vYv_;rJiM@5Mts_|ifA;~RhE
z0SZgS5d9Fqs8LSOIZrm6V9hM)uuVh+0^!-8uoo?n^cL}<7Rb*<)uz^pT>yMPHaEhw
zxmt-%A8=g&7Dv8s^714*u)GTE6T7D5n=OcWOG!XFg<LCvlP)bwu$XUna`X;Ap?1Va
zXoKAaAOP`=^{!WPU`|_3LY@v>Vl(<+XzPqa80c(6O$av2&~WbX&x4GfajB$Px>zLY
z@218Wn!vbZGm_v?ZLOJz3`B%lQLdi1h!Wycgdi{q(h)o<N<-?V_&wWl@UG~T@Lpd&
z;i;LJvj@uk{7r6gxKD|?)4w$M_+EC#D>Uri>J@>&8TL=lf7aWr8r?o4L~msNqa&@s
z(i;xx?f%raEPr3}c0{R>FXv$7lu>u^>>uABwT*1&<KQRCd_sc@lA$+#Pr@2xvz|G-
z{ux=aT4!-K8{K5rM)$oRm4u`l@k;QK=ql+MlW7`zb6^}OL!9m2P=0RLZCo`U?q=cL
zgCYcZ_co<1jxGJ%LJN#P&mHU{KG7NJs%H&F7?oIG0Frj&Hjgu>CuYmgpN35umvgP0
z@SnJ^9wE2I3%2=b9qE#k)GK++h(7kfX-7ne-xJN36Vd&(6UQ9u)i~N@6S7>nQ?JW_
zdBnUYE&zf{TvIzTb>&TF=l;+pbK`+st6j9}9enfBF3Br-Pr1Lv#Fxr(e&w%pYHagb
z%4kHU;0z+|-IT=gS@x;-{UcYmji$lFxQ(8Zb0u%1TCwwb!u*3%qZPNzL(RrLy)(MM
za{VdvH_@jz!}O}Y9S)o{v3So0iA|@Ra_x&{pYojhL>b3jsxcO#fxxMvuUQ|J3!ByQ
z0rDav(qJLySr!KjTA8di41M0j<;V}SmIngxtV6iLlmllbd^2s&8;EKm^{5j$G*)o1
z6M%D>l8r%OW3AMnc>=y2+(h2|mI!&paJ{W{*Z<o8y~DRIesNU31961qH}49*9SI>%
zeg<8@$))5F+I;G2s<IK5L}&VvL)5K&(g`xgSE$k0iXijmD)=objTSEiTFhMQ6hmY;
z*JJ26U2{;hqZW-Zov*qbwOay!VQW4&p!X|)&@>i)3+QALe(+Ra5s`-r(PSGuy)WlH
z{EuWv!Zycw!&>>!Eve$#N}(%vqp;nVN(Yfn!-xc{eB^(Tzr`qycpI=+m0kgpXJC*`
z99^MNFM`-|;Q0lhtGNA%646AF#0wA+jSaQ6+Jl8kH(8*=;JV)0r&X?Uq$A=2@M8bS
z_mCy##-V`OmHmX$0x1@<ky90M9Otl+R=C)WVbpKs-w320@0U8Ll9LH>wbOo+Be`P~
z|FT3;R6B=`ZG@0)%|B@Wi)LhkyWgAQ&u?;$f0R&%TRL}r$gKM+J96-{d<fzC+o^9`
ziJ~pC)A!N##!a}Z=6c1{R3P?wIhDjoh0q0HQ{LlT8pX0Z<KLgH_9=ozAYJ0|J5ksv
zGXpJ)CSPOsdN(X_?~kT)x4QT${D8uRD)i6|=t4&Y8@P_J@N?n)BAhUnqPX3k^U^|H
zlpm7%Yk}Tnfqd%7;_9B=KKfC4rBC0oFLn7n#H5FPoDzeXH1vc^Erq+M-m1Sdf^0n4
zs&0!Jq@mCmvL4`$dAdgJ8IS=@2(at_*=EEoOfi$sgsY@R(Z=$jDvOr{1=o9WJ5Lxz
zRMF4hF97XRz%=3S4##YZp8aF(W`Wbm4od6dwts}PHcM9xB-3#X(ksPNu2?w2#@F5V
zrwAz)Wv)k3G{auvm#UXkw!sKTOggDSm6X8sY3J8JUjXhaRr<D!CQp|(6_1?H8ij#u
zi_{JCDPx;_5`NLYj>=gJ5$3$c1PNgu<ZMar)LHdlZjX0#dS#m!L~V~^_^rHW)1FrB
zqHK75&5c8kEw-`cs^Yy8*TeEV*L+zVLED>L6LEWIiDwPY=*0&8(HSoh0231v0}B%u
z0~7no<+o@63?dRNV$9ojxNknj=6R&5_Ur-9Hkpb2n<qerh|-~*AK#pzzfY6EKnYmv
zpUaS<T%|iFXzsqS4vi=i_~(;|w$P=eeER)!`&kNZq<Lc#)?BPN(GKmN(Cx8$qHpMf
zJ#3iq9(5UI^asg1sERv*3hz|xbPnb#>FI_8)@H}%#3|;5a(j$=OQK|29ah5Gcb{h2
zOwce`bd_?X1k&H@dvC2`DZ<yUY=A0zmO$dqv@<(m`rJ#Xnx64yAWdq?+rI7bS2jsu
z1LGF}+79#=s1Gjy+Q+t{u5%qVJH`|P^Cv1?!&Xw3MPwOJt)L-2wtqf}0?OTs{Cjr9
z64IESR<t&=p3XfpN7&O@<|)w-t=ei`cq#ptb7Q%V4izqAALCc6X}Sk#D)*2l`>7@3
zQS0L6L*l`oPNUYA9^Z=^+7gfCY}s79cLCr+x7DPuu#j{0DFe~f_fPKJ4ETo;T<{tv
z1JBrPj&J&(tKQgQ&fwHvdrAH;%re!m7(P5ZkMmzz8(5TAlI1rqgeSVuQ(mSKlS;Y;
zeCDBO*;Cg7_vxk=P*Cxq`5z_<;`z;ss1NDMqr*d}c_p<tITFig_@B@Bp-;Fylvpl}
zW+awtS#~1HGsg&fM$)>z#VYJt_a&4Iyf}PkuD}>IiD%wBk;Eg%7>Q<5Fa>U6L(#<#
z6c{5X%4w`)`x4k=6$GB!TX&iFMw!c%GbZuq-YYk^?m{X`a4GvpWY3+rzjB<fk2Pg)
z*9|GBGUw?vi|^t7S7seR#nZn*QujI>jR5GY=d;UH2E@;gM)CuA0*xUM4DQ^J<To#V
zW+2s3PmRW@PqzRKxF5JZk>3)YSSDVRckpF*e`WXO4|oL3dsEwcV-*-%iGLuN#A~jA
z=EVz`_rHj>?s`$CTaM07L{6|zL|$UdydmUmlzi@^fNo=VsqNLj4Me&j^CO0}PA4d?
zOPT15PAsFk9QR1|ar0#wHVg*$QDwfM=GC%9LqZ!$c?<=&HJ59FmkD$Wh@&oL5Q47Q
zu&}`)Q%oP1D-qSq9=AAw#>2X6;}Qsu$L#2w#Tt9u%}XGd@Lp7+Q}#F>bRkqh5DilA
zC3vSymnWwUZ=W@A-}{H_I0FSzuddYX`~uK<BtchFx^*ROSnT6b+E(*-kIwLOI+a%x
zcKb%ZHFVy7zs<>=x+AYrhkrCSe^*AYhom!p)Y$vg2mc4r9cJ9p=pQ%8Rr(l`_W_o8
z0l-Ak8LG-`mwd_;mw6C+;;nSzt>SO9%d_iIenSSzeNd9Vw1%4#0(&Q^1r}#&VA~L@
zK6z;0*41OC)5NIL#C$_&=h(C(uqMK^wV}(PUc6#oH0&Pj05XZTK`h*M;l-`EC#Tn$
zz)iRX+vq3{PF?aja^0xVhwD`0EV=0ry#RkbLJ#%6kxx@MMQ_Jgr_l|DZN*zE$0{bT
zDEiK40!-;Mkap-rS_r*JW1v3;$Hd0L!o<P(X_3YxCc(m1+a^V?)3<pZKj3|&`V5D`
zq;!bv?wg48CqR3L*FRQj%*&Pfoa#H@Sko%~);>Q|rrM65<ed+lFL<b~|Dy@Q<+0IR
zNu|*~`gKx-kn`iMGfr=bQ6@{)$!yO2Id`AM^RzW+jyHw7T$gyHO1gOFu}b>g{d<u<
z_Dx%Rf>-NC@lI@xF91My_gKiGXb~$veMxTa)ESL}(M)u;m@e@I_Dz}Q`^1*v?}^r#
z^DX5`y{E7aRQ1KvuHFv!l~=prCCeag<IZoTCi(81M*Dm|Z7pURVQH!UG2I8RA+GGu
zsAs~1%WUJHPi`G&p}nWSV<+0<nzLKVT~3n|YXqHGEE;8<MePpEsWc<+xJMoHu1RG1
za7Yk3ZSI`PbkS2DcYGNS4=>&D;1MU<?U-7ir#!j)4JEZI^JR;<6dU~niE=;uJ>l5g
z%mrX}jy~vI&&RhZ@xLg{?{^!{IgE;^ebkmfj<56#QnlikW3s#c4`iZ83xJJ=E3hWt
zO$oN8886wKq!1T;zaFZvOj>C{v90lZf4Q)%=lRc^`Lbg**UlAg$pxWHSc5EU6|J42
zS#4@znIyCXEaXw<0;YNHnoMm{nk-M!t8j(=735{I2KOgH<Ps{orup~WmE0}>O^0+T
z8mGa^Ii`6U8ojpn+RvAnbe6BX;K%k_cc_KsMUk*O;j;SXjPK`5<}jamzm0KvljpEA
z>8;&UkBoR=teS7xm~q&H;L39mFjn)D>dWJT#KB(V)x>~>gA+MTAx)0RV03B26c(fc
zr?)W!8D9YLpx{{+PC_%|cvfy2t0Jt?O}qd-_LAyt%n?p<L^o<Rj;<MuFgv)B^EH8$
z3qk=im|Z1#Q*-<S6qLfT(a3J2p^}oYc)9p&-ar+CcM}<M>Ye$2Aag%I5t8WrM-pPK
zA)wRiLOBsS;Bm;BK5Po1%#TM4fmzJ`3jmWK@$<Y6wV(_!s<8AmScnaTyL1hzk19h?
zxj-<hITMFKhm@RLSc$`0#mu&tK!_$~KD%jlE?QzFjr@c|Y+|`bh^tXHtSeZm3k%S*
zlDJm~49^<VHHN&T4tUVBM5`1BGgfl~Uoli{%w&}6El`6Q3|3Iny6_+)E~^~f<dBbW
zB6DF_*)Zr(H<!PZ2XsYANZASx`n&{mE(4k1<Wr=KyYi!bj{~kb50&l{7Z<)&Wbglt
zY5i4zGxEVXpcA(=;5o(5U?<vg!&qt9&4oi;D8C*xJ<q3Q5{?Lhycryh)dhy{nmRDC
zqD%70csHJ#rjL9VW6ik<oe0fl42{n}z2WDd3*;6*IzyLp#OJe{@u6GcrQwE|dglm-
zXp$p4Hb@JS2_(bAE;VWe7Wft!oQR&09JDs0X9zvLoHmcv|De;p>dI<P0koQ$-(R3-
zZP}nF!Aq$NJ;@X>*2F`!>OYLo7=8oR2#I-$UumpS)fI_W<FpOD&tK16(_(hFytB`^
zKqtm*a;LHC&1RzH{|h6!*)tu~O_apWdG7dO+IyeEYj7s7Ebp`y=26-Gu+uctO)QBS
z6+6jItb+@{4ocWXLti?r#!&kq>IrH}FIQg98{)mL0t@viI8ZoZb<WTG+<QG&DwioI
zsu)5Ss&K%zT=Ah3mE-FoWw*JL`4xhUZc^8jGR`x`cLsYeWGbj2Ouuffvd#>tjO%xu
z(%BXAacmN9yb|X3NZWN0^H2XgVsrs0TU*N)(<LpNQ~(jnRz^<Buj;+qKcjb=-BC+d
z$!@P)uFVfJxS@AIeLzugaPOe*G+b7^6%`~%wkF{tIijz;HKASgO>^s*Z6X?Fd|<q)
ze%>+RGlC*SiOt1$xcO<KABW9u6Q%Db1!+mje)G}QE<L<^8boo#la1&G*89liMZPIf
zf%%|)Ny(dNUlRSh!YkNU@BkRt=s!Hgzyx3s5p(lklicCG&G1;wAtIgckxArD(!2JK
zZ%T0<JW&Ncd;Yfh9+~sID9NWoPCx(X5LW{8G^6Re^~Wfo0>YlmLyd_u>~hT9Y81g6
zxfV`udZqW)veLB1gkR^Y2tN|@_MCo(RjJxH$-^|DtpE>;HzkAkZx<Ku<mwU#QoY+(
z&(zAx%7q>_%d98y<7-rNh_7}QR{+i#J5fvrWTGZ*YIu*E{Ut3RWe4CfW-{d=+b(G4
zZ~;_%`j#d^Z38yY8V_1frplDU3Yb$JcMR9JT+j;k)!w3)p1J@WchiWesg4%LwG(2n
z6v^A@H5d(!Vw$$FXk}?cG_<WrfT{QUq}uDT^fU^O`}?6^-Z#<lq!`^{%^pq?tDWHm
z(@1x}%IFEdpDmmVP35M47edkGnRNhYWDtFx`1+a#w7?!i8Zj>Kylr}w)9k_hZ|ok+
zM3LL)Th}ULHN`S~*5=<)E2YuhJL;ujF|RDxcV%U_AA*cQc7lPin`~DQwx`+)oEhUV
zZh9p)jp<u@r`ZM`k0wJ;-c_wue=`%?4V@1*-Lwt*h{!uwrRE0}xnBvx-AD?JeQOO3
z``FMxCSpboPPgA;X(aZ1K9rS|k8ewH0oWQmt-EFQ{vDb1`@FImqq1hX*px?naYhV6
z&9W4gOxIew(?5l7mg=}Ya?g79StAVl(SULkfIUw;pYh3jij>cs*|*yW=IHC}4;Hb3
z?A4B#*JImJI)bs94gEyPuJmnK8s}t)eu-&>jsaeXdhR=<4K2*1)y_6-9i%@cIeBct
z4@TM55Qs?Uoup+GXtuxJq1~A^%dW|CG}@}Ar7M>y99rjd@B0t&PXvKbq84M}v>Esn
zBmNW1S++bWi!I`M2y08LS7$i=be`Dmm-j6VpJ4Kq#ZKHxehflWr@P10GxQA=)Yj+3
z2YI!GH{y3z^+D_;XHqM?mKT6^Ke#~ndCixP*GXR7cDNf-NtjVNQgK}aLLjzmKappP
z{zFFWiAq$$gAvnF<yC?^W`!8~3P81Ri%(Ya6}r;GeZHnP9`d-??eBAca-1zJi}4Bz
z(sCW`tuCS!=u43@{`SH^Acl?Mj;HH7#|r!~pERfmoLxkF<rdSB;iKxUBwEG$#VcWC
z&}k7|fhN52+b=j&pHtjod_n1+wP5`^RLd9a@uawr_JdZD=6!V=#=7SfUq);=Kgmlz
zpBP$;Y2=A7!4<|#9lT-nSt+!1<YTo^xofwVSzZNS+2QAk!yt`(`fm@cOU#@i{NhGg
z?3yxogvwbKP~~zg!}2lH+~q>`5Ce5R%{;`HD8k%z{&udlo7P>AZ0)Q}`e`$Q=3M%x
zn;vW4vF3d+tjX9q{k>m&t!_HmYv`T2pqdi}4v)jN0O+=E(tXWxdMROJm}zKY!@W#7
z8<W|cH)&Rxs%(1c4~ej>m(l;HtH1&;fO3ewx+Y&2lz&>fLSVHxZnGaw=RX0Lm!7CU
zM8z%nqkk`ECMuCbHxu*$Z%#nss(V`UE9gdCh4g$ARUMx(#ryO!34!ByH>Jq(3jlJZ
zNT62f0<eNR@?spcoEaXHTRJLVQbYgQ;~AtJ_lm_g2Mf!XN^_xGK3AxWF92#8>6)CZ
zCRJ3LsUHgK`k3hRtzng}qTF~+?M#DdmW4KE8%a3A$+sM!Pl9A$kf)V5Z#<R&k0_gn
zGHR=;QD`13g*Fx)yvMWNjb1}(J1CIBW-w+kGr1*Wsv+UV))~-z2;wG3kTv~V?_P^e
zQAg5Bo(Bn~xjRK7e3j(OGrKhgC8%;G*E0=-I{A%;42|(h){u}hho&9RJGmMrCi`Nn
zxB0=ZxIBl<&yz_m031)W^Emuh%ipOXXp%Xs<U_((68ASdK6OKt2e0wyNIZ+lqy0!>
zM(#a;S2Oe0O^Ex@NR4KR5%fS{E9rq7z|ZRJ?zMLv-21@1$;S(9>hhZM+6FqM;J1+*
z2Q8yELe<^Q0^TfA_I)XqS{a300iu)FG$b{~Lmp7Sz%M>}fs_f~Vkx>t69&x<xluUZ
zY$n}nWT+JK<-i}>x)?QM%E;=gR&nE)F3Q9qB56-`%O{`Q$@O7;OH|Aa_F1Y!GF`@k
zQ489^p&M>5W(h~oc~K_TLc_Y=>7Y&jT1H9LI3?y<JIRz~w|FZp3)*2AYc%mea?LS{
z5~TI4VfX;Sd)%rQqI0|KjA6u;kwW%+Jg^*txOnhz%aj#ga|(lLc;ys4k6Sn%TC{&9
ztBuk%&|1#>Ow?TXyTSP`%(&pIIk|noIm0yf!f9h^{Wps%yoIJ5RUr#YrxA1#&RFfP
zCyE2nz5j{+Eiic8x-xzANYs1vO87M9F=~)2T!EXH<p1Y=*qAQhG**mkXEnUWbO@a}
zAC(xtlF=wev_Ixv#~YUsCt;P$uYIHEa1^I@_>&ucbYCe>+pAhg2bAvk+L(cv15Op{
z{le*^_-zx3!i-$Y$H21Znxz36uMM|-qqjA#7awzK1XF_W-xh@i5;Yd7k@?;}g@mQ3
z>fc}&QduW1((8^N{ic83tel5qU+GPpFaa(ybNk{jK{{-+G>aQq`JfEe;rq5qBUt{}
zsz@fi=uwRF4v2%XRW9gs5J&RROR}A!L<6`^*1a35W<VWttEi|2KTuV80pC4K&qhHT
zjI+wvPZs1bG3~%QC+hRCoHjp$V2eohFktDH)79o_s{5yUI~504r)o1&gfZb@IzhYl
z`BQB#p5C~6eup%%GYDkI>4B|B`qd?|Id^<az8Z|}aXnjJPFLTVOYLncQSCQWD*v4I
z6ADH=Fyr>8ZnD{2wC_8ulp4$5@S;_m2n;WV1RcMW%GJQtzqKToZOE$b)*M{j3RbGW
ze#|$wz*3-{s|UxdeIy(hRsk6?nIJ=G%X@U(&ln1I?~>URwDKOIu`s{hZR5b2zljGd
z;%`^I(Ip>H7^>FJAdw|+VOAIuF^kJy#63JooUw%?T4x3Z>FTI0KTvNm;e7C{Bbd<Q
zy^B0Tje^L^r^^?N|E^wM(jqS!L5*?bwaueR*?EtX1ld-kRW?H4VIK|A#2Adf(WPni
zP93AlBpy<^JMhMjnB7d8Fl1!(L4+lOEmKq8qor~qtgcy+VV?109_#Cnan*04X3~?a
z_&W5s+QDjU&kNyhU_ig-w6=VSLVRW!KTdI>nuA8!TJ#5@W>w-_!Ft0n^2!yu`4J%s
zTTdK5QObpV|5Bjs`gHOLzOk<<TXxiLh@?$dr^+VtE_*W>yGKyRc%46bq$q0Ax+UAV
zw9qCPgGk%r{<qQl)T7+wv2gj1<}E7D6S|#6(%Fj41(q2BdM<)75+bhhF3E2~K9JLA
zq~P}i8vD7%OAp9;YUNVS;l!R{XG?Xdc5t)ibZO<BaN5JDKicNqGq_`0n#2qr+XQ18
zEvx4YD6-A;Q_m9@soY?{6O7pQ3+BkjvQie(nQ3J+2<W#Lpu0|1tlds7#F<IL#QBMM
z9|uyzZ_e(a_$&_^^XOjrHi?^t&UsnTuyY=miG4S~_}bkyGeKNC5`2h&fs$2Ulw+=s
zHaVx*5TB6Kd!CB6d3`K@>)Qp!A=7ZS;3~X^jFdQns>j=L>x!Uv0o4XxrZ|t^V`cH`
zB$Ov&1*><cmVRU8mLs!MpkmyMhGSN48|nyNtuV&RY5!bcgx{?Oiv8m1;Si&{{V~hF
zk}1A6?n^K(XGJzoJcc)Gc6BTI&l)7nD610!zIo8xBJfZax@OcSxpT8ZQgP}Xj`!WK
zp@N<_WYp)M<M(=(IVsN#|1c7{pd5{qT@(7Nb>bur+O$h9F8R@jn~$aE@4RU9KTBNZ
z$$&FPj#ExQZEdM8ct`N=z`PHb7{jNECtZOr1sb6ib&5_+MYS~E4PAg$l=3f(O;;qw
zUVCayR;~V7m98WNQDpi#1bbR>R^!R~b9Tl%r9e;C<0-0sMx``w`9?12tDw~LrJb8w
zpOtDp(Vx9B*-nxtV|I_1X;I5I_9VDfWoLEVtH|cp=7C#nN2Nkb;_edsnrDHPv7nNf
z(Dk8G=`;=QAjcPOl9y~j0r6;Ol-JxVBUHMeJoq~En~-iw4U2onQiY#C(Z1DAhi3A#
z=2B>L(<P~!lqWukuY7KjEw>$n`=Nd!*q(Apa{|<)S1EY!$W5sz!PpII@&4d_t|pFl
zPDU?nvEn2c|Ha*r&%x6)mZZk(N-DTsy5;a9xjsD>e?Mts0;`=`<9zdz*oANm7B+Q`
zw~$x9IOZlA8d^>`?i%zjjcJ}geEGBps%{QZF1{zRFn#|zwk;wq#3+H4Z9!iM`(<~D
z;sN)HK$H~anEOjE?_xE9H;Qwl+dN0zq^_(lnD$8QXvDkVK*~*w?Ktd&N>lA=8(ft7
zC<(>6^eq8``gN)26@H{&>eWXBI<s)}4VKM>rz*>arl)qJZ{SzuRLf(*C8+G#wwVjO
z2^MgNyIig-6Omf;C3_X`l*Y4KpPs$knV5YY*45O$yvTd-v`F7|6e8nh*FD_G$oxt%
zEB8s`v27@9*vhz_+y<GfjcC|fcxfYB5OfNw1lCMIgdk9>R>$omDQkkd;%eC|0Rf$?
zu-x|rrru1useNT5F8E8usIn9$z4VA37lP84-95k*148YW9J2y-Bla;dkB;@k2cgF6
zit&VWg?dSqbLHQ2dP|hTRv+B+^vLOdFzVH(sBN08CY^M%LgAn;LnFPs@kOa=$8Pi(
zfyFeu{hEN2g;I)rtrkCLy9TB58U=x<*fxrW7yc~&hPmeClubtSI~TjS_l_b<)D<df
zDpYz6tnCfv*teUXaj`s@1gknLGGbbs^d%FIUF}|;FjD0gh$~T&YXXkGeQU!Z<GSca
zx)q>ONDhwm)VA(L!kHn!bVx8x5vW4Ee^c%7ohPG>f2H<hL^8ZE-tDDhl7F>^)aPcO
zAnm7lFiGDEMT%}?clc}a>n-Z7eWMdcD)5o})^)tpZ}6Tk>ZxW|h>U>mtx@On_*1A;
z+W9Wg9uA%=-8>Fxe#VeF#;Ntm-pzH66{f^KMg)$u$EW1kgl77sKgIK13-W3>ims|K
zRJy6vU7O7jmfglqZeDeBNSnldqUx1vUy=nz!l&8_KkX!bMswzuD!Mi-UgnwVm^Fge
zUKs+vRj7806IFg5XaMU7>Uh`)h(V45-=;thJeOO#T)&b8csp#{xELCiyu&G?d8IK1
zad=bZYIe5Z2RR684Y>{)FA1-qhS&DL+Zd~FD^m9xi`s?>%UpUIs6tOMB*NMZ!EL(3
zGbZpIY4886VeDw+hdVOXsrdfy-Tmw7f{yoPzLu_*ge$N_cboAfDCVgDdlPG1zqp=1
zd!SOPt_ejsm5Gy9p#Rg!M>DH1^lXA&qI!I)q&(gE>b;kmrqJ?3Z6x71yNMQ-P%io`
zGbM<FPf%OlQBK7TQan5kr}{4h4{Sxgl|Sq$8aH!p_3pD}!cwamZECSS3T@mE9lHZF
z4wHU<eZ_Z&fR}8#8cZeK94N*5=nXfx<7ukchi~83<&^5?i#aQ5XYpJ(+b2S~Ay;gW
z#a!=!^|T-?+mp7W{J3X#*jJoMh_;eA*MmMd1t~w!_rIRAQbkS~6xJ5A@tCT6ODb{o
zkYNx8JW?>Gu+9$vFb-ZFeNN@nP~F|7G~U49*3QqdU`NJHw^}{!Z`S5b{tgfQc%>1a
zvS;$ZOlj?@hN7|A{b-90or$OUEFu)y`KWTY|Hs~2z{Qnhi^B~x?v1-k<F3KIad(&C
z7Dx#04#73SU4j!NxD!ZlCwKycAPH{yI+NL*-FY+nX6OI*z2E!x^{uX3c1liFopY*g
ziE?J-+pjiO_8udoZX_nG90JZg0>Wl!2UyeWCn;IkwI%Z%H>`}#FZ+CMB{c`P!K{lZ
zC3f8A77_#K_H2Xi!pE6)nwI5LI2=#os6%jwG%6YlpN0YA<Vajn-F&G8;y*o!|N1EI
z)uo#+9n-8(891n~u_r3hy`^Rm)(y&#7BiSTah|I0Hh5AX50DoohbdRlS)5@2)q1Cb
z3!8=BC&nQ<7n(b&O&5(Vc!8`b^UlgvYZ#mG-Q%6oiDa_L5qxQhf>V39UJ>cFbEo>~
zKMH;^9%G<`YaF8?(ouIkM2vbeJX%t2V_i}ttu|oqEU_*iJ=o73vsMdn){m1rILMet
z+BlGY6qSirdwi6-R4l3UqB^3P89_KH<3x6_pBhb84Xj=}+qFZ1aazWg8b9$7mc-M?
zat32ui3If_Uv|=h#=i9GCg1ATbMbRKwKU;kC5X?Crh0U!kr8$6qc(8t#i+9Kvd2Zo
zR~&efg={oUPe`GQoB1Ypstkjp$1{U3^_q`|l-=9{%O5RA+NE-~^I-|F+30?-(12YF
z^{>MyxOL~W+j82X2g|`eSC&uqiX}YEbi-LC6n&1MZm+aMy3EEE1s~kLAy7@>ItCHN
ziFSg7HdF_-q}uZyqoT4FYii`LQX*D9U%b$F-XWfAFh#zXXfMkMIX(^!G^yP*?JB-s
zg$~@NPOk0sOo=z5pDEkJ^BbPau2Ggh9zfT~Gp*;EE-EwReyVwpPEws&O04+0sqU@D
z5v#><T0wTNK%-fTwjwID>XY)#EnJ8)VbEISL(qBEZ~(y_I$F4MbN6L$eU!{qk_tKM
z_(Kn8w3$O+mue#IvynU*EuImYovBSN%17A%gI~fZYcfNm9#_pYW_C)1zCY%glyTIH
zI!a|Je7R7pTBrVcc94V-nBbc)oT5v=Q>@!7I_b1QT$v>^{(zro;Jt>fC!v%$N1&XG
zFRr~h9xlm#qu(rL&^+>{H5U9UeZmDW6TzIEBQH|Z4lPX@)qoO~8Wk3df=o);amozi
zzUkLU@T8WOqfRsjM)jRF?Rvh+1-GXv{F}{vw^ZBKrt3GLTaK56jLU(Jx}k^j-nz(M
zd_JfFS_AFIhol1QI%=8-q#Q1cl>+$a@Z#*p(fHAU)sb$gpuU$2g_>4);AXSYe7lP1
z;P;>yM!+OKXl9R9xS9TyqkX6$_G_tj!c-0uO|`sr+RFj0f;?smQkyd^c9JFT4m{ds
zmd|!wlokU%kZqXr&V;mr_QCN&ixMO&RNE$wc;sNlN*Uu6J<gPgKn__ZI3p`dIxRf)
zcxLh|ZCIx0v^VuAFntXq#|Ky|Wjgo*_1OXiSXocjxx%wGF*q%-FH%xdzv}Iurk2-r
zlJDuFFyg^iud=skTyj{X^$L2?vA!@8X{iI{!Cuazm2ku|wa6buwU<;x`LLjIBYXu-
zNtgSi#RVtjKbog$*7l|OOn@8<p3-JvQQqQ(FwMVmERTX2av259=z7V-43vi&Yoe((
z04q{ouSB4|b?Lh_r!@Iwrz{x~nERHg8V|-0Yl}$_qut^-6?RgFmzQv}n%Bc+BUN-n
znSY#mv!GeK7dqlX|2*fiji!bst;g?S;LN6V?3{k%p*vKlICN-u*T%dxS-f?@`g5bc
zN&5zHh7x?~4?G_l|L^%D82D88eT-HSKh4`XH*Kiw^zZ#bt9JAM;{wBcNfUYkEp5}=
zuV_3yEk_~9kJ9z5nM-KS9o+bB3SFvwTa@3Qyn0VcgXZT+&`LdM0lyq}f<bN3{t8`k
zE-rW<tN}!hdElWCfzVV`vU;M4x3uaK+LrE29Ig%(7`{LS1|y-l1iqv21Ml+3Sjn0P
zy%r*0tyk?RKjJoX=zUz|=iiD!laaF+J*NtHZ=bYj6Nzl(CBOnZY<^Bv7YDY%5Wkhs
zT#_Tw2e%WHw6qKs+4G%fVjsrD4ci#$wloqd3@n2?+6IPS^EQW@wbTaI7tTIjjWK`a
zv?HF1K?;D%8OvmJ1A}fx@`X6aim-=vvjk1`8Fu(vdSH5C%kmjt#4TnvZnHPc)%1>9
zJ~!6(MW&Bm)4yHU&$<x#lI(=m=k3^He%<%NivZ0YG7s0RQ?9+RVJ7f+jKA%etH$V<
zOf}Y;rQetnlc<?pk2-M+paH2xqeMYM2wVD+STF?l{^C-`!+F`9)&#Wh^%b(#XN(2)
z+E|hL$~r2$f}LfQ!e-X@oL&Z%O=$_vSWWy?2Jwu<hj)gXCe$PZG6s5Mh@TN?%)Dew
zgtv6zca;0;?B%MTYNQj#IT)QwYPAQXA7>hmG#{8~_J6F(s3!EB)pnM6%lIBE4E3>*
z63<a+W)vzcAx7iMblLL6+$MK+mNtn`3??>{vvHk<h{O4Ku^UA_0R`dd<T7yySjvO=
zAe}$s8z4H_@XNhtyGK7oM5qCbb6=GI{a*;yUb(riLpYNNZyD~Y%OZ()aPcxOuRQEs
zV%iHj$;HgSW4S!(PaOzCoABO~E^$C0RlWU#T16FldKqKGNY=g5gmx8y8I(2Jsj#fI
z-vC+<MM_S>gdoLXQNOTU0Rr^)9gTf5`+Ysglv<c;YRWvIq&&5ls$GW%%5v3zo8|HY
zkSVVums52gD5RPq-N-cB$IraU^748}@KnKg#vC2c3q#g%tX?j!1y~apY1JuG?oCdq
zV9qi(Sk;MT4Ajcg*FS#NWJvf)HOOT%kl(1%2tUYfQj73pG$zz@4cEWy6P9oBqfo!*
z0A!69Qr2b7T^<l^#^?+#fr9dam$<9!i<ol;Ij?nmhRQNcLtV8zhdH=WT^sXfDXc#+
zxsp9bXNp@e{#=8b=*S$7*+5up_PV43QR5rnISiOp3<;cN-t8zU`X#!)3na=_sxHfc
zm@*LRek^N56AcV<jW<D()X=tQQHVGg7&W8UBx$l#RS2Ky7C3np6bnk49(3-1+@}_U
zL#C0SWYPa#pqI!<FS4cVC7uzbGTf603?grjR9R4S^rsB|c>JW7+`cz9R0=xz{H&aG
zbaI{4tI#@dP-<<*US_&W+N@w1CoaK$ti+Y!4Ot*S!%bLyQODnRHH{00jo$_3WbC1T
zjFS<K+5O-1M=&sN;SH4rw8=``9%p6Q+m)A;{5!vbQdUfVHPCH!IfqVa$fiGAdG)gd
zwMV3BZ)CbzXD_l>EoFs_JTUY$oY-vT$=mYBZ>kr6;bc{qKZd@soX_pq`(ucr6knlk
z5-EwdAJ1^bg@B^9f?zG)k%7GWA`GT95Ph|}48Aim0!t?;#+i`jD_w$K))t{Dgw^BK
zXWDGNAbYY2CAm(=_G((v&9tG%d|g&6Yw;|c_}O)yK3J>uKR8+JzRBJXM%L<qUA4`X
zGbI3JNV#M`2EIqy-v_=c(1EW{j6~>j<2r++y8_<qEhdfPS)RSK>RVY3HmS0X5qz#1
zz3+Sm34J_l^CfyN0=n1$2FF&lGg(sEV;d_6b9wO=tui-GQYZf6Y#0YNjXM4(y0zxa
zbFXko>EE8}48#+>^0i)ki}xP*DqxVjl~6fuc#ERSEuxlelh{^)ppmV35Ck*8Oh@nN
zF>pCp8274&)0d7TFJ_Xi226~$V3fUi3Gp%td>0xlvjLHbBo!D<IU!+vpvIN{DEz{x
zICI#Su*S_!vRFx*XyEu<LgR4YrFU*0tgtz#UqB<y*Fv3#sJ2~i^B{2IN%Jv{iPlPc
zvU1gYYEp8ikdZQ!<)*%P3yX-csQzNvBbp@K*P2E-2GQ^&n~9ri#@?3|;AkGzbVJ25
zHXc2vG8}qb61$MKVlngBjP%Sa9xI1FuRH>4RJUktIx@h_d6g4!V*@|9dclo-ZR&?0
z4V^jRWq}!Nu_&B22vVNAOMF$vWLzhu6^MKQ75ueWGeM<`Z2X4YDm>Fq9W0+0y|*#}
z&1ibb5kSdlB}W}+u!a^3i+t=@V7L*jM0i#iav)OEetpSjr-<u9!O#5P<FLV}m3(5)
zl-g^eSsv>7ooVTKVl;VzL#t_#bdeR5U0HdR0#gP*>rGGDT*>12bia|otFvI})T$+W
zJiz1^9rvNkF%Km1CG=3;=!BK26Z<^I5?zi5%Cww$W$?f>Z7~R(vRFu;kHQiVT82kE
zN=jV6k7QX))b^j%pT(&+&>w59(4V3ryoTAUOjrowXrGW&=zLV`c_LXOL&RwT*QQls
zSN(jgSG!nk(H?C_MjV4(At;~*Z-Y9T2FJaZX2YanqY+Om`XUujkSB(d<KD1AP{HDl
z^<pWy*fl-+i9?ho{0>K;C$cCfc`B|F{XNI40Ky@UmPHQy2zWYO<_N48-tzY5ees$a
zJgj+r3U2W*CDi%%2#gSOZ3%#Br=}KM*+MY~w(azL1P56I+p?+)8?yT54T6_mEuT|y
z%Ls=#2aI4K@C{Z@U=*Etx)w-)MaEurYB85xrHBYCr!)RV%N9Z4dVg*#(y4lHc1<s_
zld}9kq%WQKbG#LEZL-`2^guLeLxS&2DT03Q_h-sl%`c$?uBi>}Qo;Xw{tyP1I9;IA
z$=??R{5&)J^Q(>KGmk-*Xp-ffNv1DqR41(8!^cnf`(k#1j@6d^o}m<m1v5vf*E|(E
zCE83UQfm_|xEn+{M@Ks+7eeM&cJl$qH&PE@86*x#_4-dhZ!_S5E+h(ejIe=>wI}8g
zHP(Dqj8)=ix*AWmuaVi;s%n#3qF;SQGs~Mbvxm?q{N!NAUXKEG+VZJn&aBLN^cfBb
z)}`yag_*t8vf4(coWLeZIn+@f`gh(QaU2KM%DGQ;A2uD&v-{j@I<QN5!3D1RX@06{
z&{`(SS#ET~Cb57t+6R#FZ@C-|K=YR^!ywf(@5sbmn{u&SJ;~>z2^V@-9^51{3jvlI
zb~>ND6uCQIi^Z`f!I+ag3_E@>(5P)6vH9?zNlwSwgp#!6T?4CCapS@EnbFcF->?In
zaY1`H75V}Fc+<hMGW-qY%a`ZW{=+NU29?rojo1559tdM|7H%gLDUkN=8RAIEH;YW#
zOU?T<)|(O~ca~Sm?Uu#*;8tIS4hJJ8(}n=sVy5{fh~uR-{1SPb=@Q^9EB(pE=C3O0
zCb;xz<9X2)Lu2WPNU^BGXYdzQJJlo~h;Q<e=623hF70{BztWQtp{(gi?$$s2_~23Q
z1lv|}Y_jk_l}RQigtktMF)Y`EfAo#SC;IXxjD1kdblZpE<I%%B`jN|kqc5z5U+&C~
zFA5J)w+?Z;2=Dx6$|w_akDA%vy?-aJoO}#jKD})yw{zXIaU{1wFth^p=e)kjydF@G
zxt4V;>E{QpEyJLkC7#{iSlr$noB|icFz@bV8vRYH$jMLrdVKwQ)3+#UT3*~qJiC?#
z*WCp_Ie%9#S24sF^bKIkM{`FFT-*yajrdOz3?biO;?8b(0BQGeVIKknF;Y*fFCex!
zn&x)o1ZFdAK(_}CH$QuG7Si|rSquBK7L8lWvkUb6_JmQ(j?MUuL*ai^;yydEEk0}L
zszLXKE-@bw7(Ug$Z-9VACyMk>h!GtWuBH^O#g{{$4l%^amY_$DV2JM2`TL)H!#d_h
zKsPB;FNv|wVPblVu6K%VD4sl<Ujf(n^sY@sto%b9-tUwhSU%OV@d0+tq4*PhPWAoR
zH2XDYUiYn!v8mu^Pv3PC?Z;&Zda<naGxm;;m_=UJJnx!&e%YgXp0IIefmq^PN^|o$
z=Icen1di3M*u_P9*?!38L(%lNREQ3xZX)&1&)Xg?gM00qc*eU%0nD1vP3Y-I=fA?y
z-GF_x_s8IY5={NKu82iUU3PW{DX&ZGHNWJHsE+#3iGiWkywV0u12Z;7=FV9Kd%XpV
zoDs!QyzBa!0h<Go=?7Xvi~GFe54!w*LCWcgj%P{7cAtGo1Dpe8$bLIh&6dL;$)pm+
z9+497<BBRV+$KnD-=@vO-F4(Fk~h1b)6paXqtDpHMva`5)?#9zyIiHKgnj6mvv?VA
zJrxg@CB=Hb0os0z=?mP)=9jVF{jMcKo}HvLug<it?dIX)__nZBvN}xH{-$+w;ON@9
zMhYug-DPFSoi%n&>Q{JW+RMKU=r^%gb)LWdcrQB*y^#YOsp5?E;*FoN`{(FFn^MR6
zoHvR)v343V$2jt0Dd*m%w9r2b!~UDdHx<PG2%?{C%~zkE<AG<64nnmTD^T4!O0^Om
za{EGe0aFP>_t8%H1i1aWE2!d6tJ^(`E!Re$ri*Qtkz{HxI(|O=<t=niBhPI^mcRbE
z7|Vy;G~H^YRs9x-hr<kYUdN@%Prmg{WP6|3F{(<{1Hx(u9%(BsN8exk((QId3`&Lz
zK7c-=<4ptu7ZY+G7}hF&erqr0I%=M;tghQ4!4=VrSs2<>Er3~aC2_hu#aRh?cc<7(
zuo!<Q-2TwMKEu{Y?(^RHMSRZWm4B_5&*TOC$pwmOtbYf+^Tt#43f_T(0z~EKse*1f
zWB%qM8MnPYoL8aemS2$%hCbjdJ{x0bpvX|Q5##tR@36gDDaJX$#G#99f{)XsG69kO
z!rWOYq^_0(2cD?$f<rueIPH8cq4{$58ZlZQ=<I!%2n?JY#)KttZQE}RJ68lpQEM&B
zJ4)lnnS@y9atc?$8u^eC2JtygWqT`x;g6_IIA&}Cu0J~FDG5w71E7cT<vX($7ym2Y
zjh0N;v}>d;@jgVS`}m{0K>v8GetVt4t(S;ai>@TbRo*_oqH?Dh<a>H-5+!&`_5iU_
zA8pgDfA(+Tt{-pXxZ%_Fw9em8q&lvTl?|xKENoUeJ0SM(<N>ymn8U`#6a5>Wobi%r
zJB*;3Ch}=MdkM)3lf^p{#QTZ+<n!FX_&$yMck4Fq6rN|<<O#Si>p&D=^N+py23YX*
z{+WnNeFG%;QRohM8xJ+?QCpuPSxS)f6^MpkqZ{y{JMYdib3U}}AAfc-dL!V;6QT!8
z&$g_{Sh^#0e%txt7xFI#-2=n&eGd%usx4Rq=s70ecT;~q^n~j8gj2#?Ju#os4U0ou
zEvU}SwP$kU=glrKVpP}2_enp({-WbnFq*v2_4XFvQjni4iBjz!mjPwEP!3HeiJ~l`
z!`NQd;gRgx>kN>a5`NwfBT7CxwgGl!D8PPB+BtFVA}YtPvErvWz&`M~HBG#foXvtQ
z?lVP@6>6wM3ctfS{5Y}Y`dG#@a_uUT^Wt(>^hC`zs1E;#&D)y;gU<r?@uHxn+rrr3
z%f%bwXY4nUUCDYTDLD2d2Fa)^s${lIZ%uB1L8KObg5~wnk`C(F{e<1T%!qR8)Td)W
zDy8mxq4k9~VYpzt<V4A64@L}P%<kU3x&cpSfAh9b#|HuF_dusk6|{rIq9~W9Mpf1D
znpj7)n1sD12rF8k<I?3Rqm<~0P@r7*03SNBRjf6h+Q+H3v>xY=6T^NZo~jngYiZUu
z%cmki&9s4$z46Z0XHIK96VVp>%AAfqO4xlwNQMdL3rn_^Ju~vW(fa0jvB|tbg-T+Z
z$I%jFBQf&y87nE1Iblh-l-yJ1xD+bX9ddnNq4%JoJY0<4+>RSu=GVM8<p5?&!ba&0
z%XV<&;go*^;LAr4y=yItSl$AdJ9r~PoZEBrMT3jwDT9&zrHc70DaLfrlB=)^qFwiA
z0kTrK#`VX~|Ig{a0~4yQ?G%|f#j;B&{$iy))7w#0@)+*R#Z{j4()l%e-7>Bj5=sKR
zk!^9DX%%%vGE!F?LWpNd7gtHr$AXlYJHdg%RhOs+oXCzJCy%gA8(C2tRwOHy1S)(f
zLthY!DCcaB>Fk$aRa2`JK?b=}-NUDbi6@Z~QyLE6*}+Z5-f<oGd;=(#1(SM@P;*Lp
zKcjL?uzl>J%9y<R1r~^uPQ`Pjqp%-M|0*G@6$rT{3Z?%BFpcKKkt#?Ozn@L4m1-qm
zv^rgn^2h8!$d4`CU5dpqX3C;O9M?!TQ{4hjm2s+!APv>$Q(zrrjfqM0B%Wdvr0cv4
zy#zDUOfxtc*wHALW+C+3JHW8=!cG#eM-vw*MB`B5^=;e|2505;3TE>XXvSGx!DTjV
z%Z!5afkxX;^5s*qcrO!LqO^E(^;E6)H98Thq@BsDJ5V*^+zRk4i#QH<XQF{I)0!R9
z$P8F!!!H;Id`P|l;5Fn%Z$Au(CkKDx1p>hc?luUCmd{6Q{S{~%xHE!e^dy7CM|Eyv
zAJM*zOi;WaPD^sqpe2Z6m7P!$G5IP}slmv<KmQFNGhmNgevfcxtoCZVf|Idqi4_N#
zwyj$C5+lTNrXB^JBaACd_0iQf9_=!EQ8ngCT98NU1=f<MInEv8o7tKWD_BQYybzBT
zf>k>94Hd~GZCiUpyVBV&%vsx7d(?T6Lk(q~Gc}sS^iH-*oCZikEt17ga4!Rb<#~#!
zWn0*SJu?=mNZv`gAt*)dN)XK_zLd3zZ<iQKAsXxw5CGYODXUbfv8jWD?GLbXWaGHS
zX>Qnc6bd=TXP4BHFulAktV7w6Sc7%aJyas7QufxxfrBHL!~LE4saGx3blRwa8Eyb8
z*|(5Sv`@*#q!+T4F<rebeWthXM;<-J)})%S_v2t-@K`&Se4$VMuw1To$T98u8-Un?
z2;GBh){bF%BOfh;hFhrkh{|+K=8{dFsZzsd_V#$98fk5kCGNQ2+tj^a{));Tzw+7@
z35%*S_pt-Tl=+)GF^EP=G5BAq6&(n%?<4%e|Nd$cUHX@j*WZsE6aG$OU99W@V(G%i
z6*jJ|{~s$-K_hQp#M7lO1f|^pBql@H{cfak|BNQ(l&iYUt{QmH*FJgvLbXV&^m|mk
zp=Dg|)`B7K*ysg36p}u5G*cjw%6!U3&f)zrk%uKwlrUqCP3vCGDa7<InWl9w#g;Ug
z&={my!MmD@J%W+dkakmf<0Q_$ksPt^-RYQNr%H9=TrNqrlDlpbrVyUJ&Vn??1g#4a
zCQAL%b=eG*(jf`#rs}!2!7#TTWzu9pcmx0If_z(aB8+yb93<;_TLL<^I3jHv`f4s>
zQqch>m~7dD$Z)$#-F!MY4<WR~JNxoO(fTPW<rWaD4bC!25>H#j<0LW)Ni}@w(mOC~
z{lp{UPcy-|1rMUwc&(ggg_`ol=Hv3x@bZ)iG+oHmQ|O58YOZ;=a$FyYn8IVcN%vF{
z#;zxZ^D8VAqD*0(+y)a(Ku?EGP1warHyG*mt}j!<FE1{V-3qM`to*<@+xYc<J7=r}
z=`d3Ty)esuy9PCI`ei8RN;$v%3xf$WMg}1vT;TKSCvl8tGT_bvjh+)J?@01cL&tr}
z@l+D3er48^Nz^{h%9@h`swBt6D>S?MJl^RmyhN`@5!YOJrxvr|1cUx2`Kdxm&X@Wh
zcq9>x9@VJZGXkcu;;=9*jlE;7QLVlZVGQXN@aDHXQiCiJX$yx(m>}wbK&1!Jb!fMG
zBXdLs9w_ii%*x}UYayQF!Sl2_is}NC+7IH*v1T91NPl<<ht$SH30}3P2^B06A;lHA
zB||O2(UOqS2h*d4U6Cr;fhzhI3n=9j97Tip8?kB<!riQa8L}luY3`CK;F9M>`<Vh+
zTdI}o-vD{8u98!U?|LY0Xv@mX8@JZ^9Op`6@{`bw$tKDy>(q)3BvHwlW`bOGQO(Rw
zrSi``kk)IyN+Qn$jwdlzJM>Vshm%N?)+#RH`jtWtw3a0!SPgnW6Ig0&c4#YW5t*OQ
z`SQp{?L8-Q>zP!`Gl0{Mub9*|!s;^5E+-<MM*GV3>#)6J3My`maE4hL*Ks#_u#(dA
z6eMI1_ElWI&G-AS7{`>!y%k<sy{eR6;^p)1kVJN%zNMwoLVLFDxF6$!O=DdoV;kwt
z;W+W-c_iqqhkah4R9k4Xnyv53n?-6kp(%1;sJhQbtr-vcj9$qkRXlHCaR`^4M`D@D
zW~n)Fe`Y0ldLe18Cqbjd1l!SC$wp$t$csS%giIWqDXXgP6PGqpALYzWloV~<At#%Z
z%!Z=wt*JH*BV){c5QoK>>76RCYDbC9D?6N+#nE80L8;cQE2d97hw{EGsSR(j4D74W
zcIt~%F>et7L!^LTQY~pMRJ@;^_<meJ-Vm8((LxI=SIZflE}<URZI+ryt2$bnNq|Qx
zka~{<J3pmVM+>D@%8Wt-z!X{PXEJ6isBv?M@XRfHlJ>ks%JdY=AW`Ps#AtT6cQ!4|
zV>J=l@L~gVYE<g?JLbgnC<Y=@ibzsZGVjADxEFj_JH6o`rPsImBrAELndY0uOjpTR
z_%l{&Tlq{1^|J>;Smnu)!Cce0)o&JDrFv&-!({ZbsUbNCl25{m66AZ74WMI^p^DFy
zbJD40#X3u&a^--TE{V31sx<`YN%0U8Q1~pd`#H~zKi(v7%0w12@gtOK9Jk}tr(oKF
z4bKQ#P#ObU8FdF)g<ayI??bc{b&OW+NnJm}U1^oTebFj#-lv=b4i`xVwV}PF2=5vF
zHG9hZ66LBaDP>~vjE}G<6YiMB+HVrGde=#I!=(&$Fi!`N<>V`DtrT+=<4X>-*lB%1
zw0p0pp=Ue7vB9g1YiYtSRoQZbkF{Xc=8Jvusfh$Hu*TbB%3FwO786ZE@(O%eQ7xjA
zlJ;QpYb0fL>i1Zck}xIK>G0c-O6)H{6kS_~JfgMytoIc8cfk5#I?eQjL~S8lPZ1Nz
z(@V^)H>$H$9C5@CDTOR`FPMD2&|f{%-3|DeOee>oM%Kn4{Ye$aQ@XWx`@L&SI}DrT
z!tAN=2<1p`Gf)X4535MJ<0L!}{Wq`(Q87aCypIX<vz$=zCy&4S;|FE^eMmnOxTytL
zHx%OWUYRVGNt+lR{ep3P+lGG!3pnb5_IHtG?LM!A9PZjFK+WVC^wij{GIqJZD^%A<
zVs3N<iq`E|-74=_<)ahTDNTA+Tr6<*=873;CcDgYqEo3$&av2Z`Anu()GT9xcfnJd
zq{v;j*wp}dSVX+g;Bal*72U<&E1+KUri!YCy1Pa@gkChJqEMHKaU{JyQO84zcil@R
z4|1=N86Jl#oB(IogRv~*gV;B&rG3Dpp2DaBr#_2g3Rc84%bUx~k2cG4^RTs}2TS$w
zqBZSZQqOa&!kNi%Wh^tvL-3wZzSGk3LEnuG@m4j!2u-8mVh-g<p|N}@!HfLhO)2g!
zgJCs}6hVy~N?BD5o*JBZ5_m4TT)Tq0i<gw0FG0Za1Nbngylg^l=ux-B8loh*y@=GX
z`bIK&$)e2!aeX`5rzzquVG?*!toO1Slc=7HN$OR_j0*H}Xz-o8Y3o6_sI1Hj(i1LR
z^5;Uptz6hRV2pdY_&CaKo`OczQbf6AiV71`FqP4k=K<AxJuYJsIHjl9S*^32eT4R;
z7n>CWULtD1C$)2td$znW9-+{K1Wy;Z#2cl9jB5wcg!Sr~NcWDUQa0DIs1ij{UXf`n
zP=W5PSGeLOmG79c73ZTooJ8Vb&WhJHO;pFlL4<{;)}RucwaG`8EMzk2A@RnwJ<r>2
z%q$4!tU-abP?g_@NYilH=1XU7wAP<v3#l&7Fe#xS*zOca2qW5*-D(IfBw4;5p;-vT
zh>oc(*03dh6CCYFU>qsmg!O!grkY2h@xZ?Pj2BHF8=ZKL=LYsnvY>hvYvnXOqVf!W
z7s~N9P|Fl*gkt6M=;vD^E{W|HCW?yH_;($Y(zOY%=R}LBj-1%Cqlqo~b&r|wUposE
zqhi?}NGpFlP+#((KegbcVV4ar_=@|M&}E|4EzvVb#lNn=-6aMtFFtI6_fWi&l_nmc
z*6<EZ7*oYwL2+}1`zh18RI<WHWo3wqsw_@c|BHYP^b5X%LY#DdG9c>%spSQgrlJsd
zWkZ*Va<c-LMa-mk35lv2!P<N?luSwr)#IkV#05mN_&NE}<u}>L1-pqI(h40qyf%rY
z23jQ|oLNtKJ|Fn0%bQh@*Qz760$LqHjm-jK#XLM7ymde*$b2aGt|e>Q?ehU`@~r#{
z@s0YVkmU;mIfJF>BsmajUO+MsK>@5mCPg0x%XCperWW})zb!(GVks&q>j@JCA~4Or
z9S4YzFTj~KDF>BR>fVz2ydL@73NNQDERCGSlkI~<%pCdN9xO<3jaFHQO%b>#$Y0AO
zm)(mk9KW$3p#f)DlkCn!qBh8hCion(Qt-yH#F*0NZ3bWGK6xUrQE+v+toh+RJd(cF
zx`xR#iK(X4Hv0YrI07IfjZJ1K&GfXE_~|BtWadkBvaq_iaAg@@DftWa-3f(q*KYvy
zD2E5)nPE{KgtIwATY1S-mD@^0(H%qTx=T@oS;aHYQxq5t%Q@+vXRFP9(NzH3QeiT~
z^Q%brJ>~TD@e7tT{fbnk9W*E8-SszQ=04kWhM=(9+n8gwtGEUwr}n$WBRW<YS#f2I
zD1^fXttW#U!R&v#5s4^A4@zREMxXYxegpK!qHr*F7sCEKze4NED#D;dV%p(4_|yw?
zujx+0`vG+H{1YqMW|{m3cx|#7?LGJAF;(D;j<!TR>inRIUKi0NtmoeN#ppEK9pMm&
zQQQIl+jfo^H*hnD?mcw@10t%}Er=Ba4~x*@XA3FQ*DiE3uw^q09cpRO%)OL%u|FX6
zU@zD&n^U37QZX5o+n-kE-3&=`&P%;b<^+~0tZBgR!;Uuxo@0h(l~pcy#Pg7&N_e1b
zRZt6zT(;m6gJjSQ0Vnox7zrrM1NM}QFFV9wsmrGW?*K6RSi-hh`xtn$bM-@^GuToz
z^uZ|BR2W@mxch1k^2(*#@iW?yUb0MUjVR2x<|S}xIXsbI@M&a73sn}hR2M9IY8fO{
zA=~YNpYLfLg<jD|T49BelL<nTp)2!E%PoQ)himMFQajX`op-(<)fuJ{@=3=gXCF7l
zqx^|A90I)lOdvYvO2q1}4EAIe_$^x>t-3XMUY4zK7<FM?nc7t<Q7}XrbW|2S=P+Sc
zfI_A<03Rl(Scr|E<f?GaLoAV$*eYB8iFSFnNV?ok@pz$v5H>BQiVQ7`NiS*!cfa94
z6<KcL93(B{#Be}sC?lnug6|)TI6SkYK8Iw(%9xm>oiW>a+TmVQv8s-{1i!KWQ+*C=
zNmhUyP^ik(70(W-;`khGH73eP?$GGvD`K4-C^Qf|3iev^8iVV;0ixvH1~*0G&>8u!
zDXG7nGdgn7o?CdIG(cIvb_q>iKt5=L@)PWf&-sG<A48-9EAb<>t&7aN=M)3-Bdou+
z7Syu#@#kkpy4!(0iBo95R%bwnr`R<}UOIU&@mxQ0n+Q_Ho?d`7g@&N78qM#zSrKX<
zD(6dTl}{E_6Q`x@a>sb5g-6}1&j}GPNh|K)!f1q_k*9!pS6-%fAhKz#@C)@l?yuBZ
zw_>U@;^s+*0DUAh9xmZL&YI5)j7^J2x308ubpCigj5Q(~vx=;Z5|3_-^SVh|!)KX%
z3<7IYPR6a^RAxz^P$WW<YR^+0rX8T`Tu9yV)ry*D*<>k&iPPnjI=?2q?CHu*_4KjC
ztSSo`qLg^?GEksPo&F9(P9Z8P=~K+~irc5zc4ysI+Vd(;rql{d*JJPO51jet=!T4f
zyY{^)CwbOfMd6OB`kM&U%yhHFxParEnb1P9VGV{EW-<}e@1ot$G&exGW*>EOU4$*e
z!*puCSTqRQ|4QY{`qh$2Gihk8ViS|NWaUSQ{<j-pxZix|Df+4cVepEZs2+v|tN6RG
zWZGCKon!tDEK=mr1^<D*{w(T$!S`AUdxWbgn+jTuh2uRqBa^{a3%yoLetJHkAmBHg
zAHP_Bz@;%YtMk6^dBsI-+J`t%SpWAxA*2oHSyda9&x0u?pRe^viXYcklSFH_7`;MP
z=k0!etts*LePg-+p+_fF)VK3WvlH|IlTyj>%tzxTox%suO6y67zBr?F&ZCl6(_9e3
zx7Vs%P?O4w2%gZ0%v3@8nB>ofC`U)DHb6UJp)DKi9VyLDCQZV7a*H%oUYx%>x(H8u
z2$ITPkZD!Z`lzZDcS0vx<*p;tLR(6LVgL~W9pZZe2RP@7HSxs7t0JT)Z(7N%;<Yf*
z^2eQbsfvIv`myLH)j$y8bw)b7M%2epN@>6((w&I%t~n(5({6ssj&H#theB{ad9P<m
zcQN8T3*ds05UB#Z%j@=9e!Y&0K{R$vI@EJWqZ+wh;(>Ucva5rJ<m;I!OR8zxnczq2
z%$VjzmN15gk<i1ywUyLdn={qI`@y)wlOCYzNd01iiK!J{xovMYZ)Bf+HvWh4=C8Rd
zUo^wC(MeLxj;K2&6j4!I7}?GrWA-ssdP-~95=4;Ke3z1Z!=!b9@!Q5&1*xA_q;5&*
zd-7G^Cu5%S^k<cg2exSkH%Jx3Hd3p#yWOL348AID4zD?Qc9xGtkXu0>;~3)22}Z2v
z;Z3L0qftG}tCN(|!~M`U7&V*=6X?oAInmF=is)r%Sh{YmsH*x%TFEe+U5+1JkW9k4
zu#y+~g<~JEu?YIXKNQEb30LP<P|R`}$a_FVJP9wzbE<%%K%BFj4Ez*fZV#zWik0MW
zRtR4XDj}VmY>>2bth^+zP;xx!0`g*I*92<}5r|?8f_d`-vyR#;z^MYB#bi2Y6qj@(
zcXeMFnv^Zf9_oHUuT=|Ah{dR-og*yUj}*0kVaO$JOxlY1NVZSU$<-TMf7|lTRz|jh
z_nA3gDvL9CZf=`*)miQSOc~uv2Xj~n&Rw+Lg&9+w+_TmSdZI=mqq1z|dKnpx2c7}Q
zdP6K&#<>6jvghHyW>yp~D!h-<QpcZ~<z%*?HuOGcqBu<=z@U`7g_WGKbU46Wvd=1>
zp8X9uWoj=%b<bhSyBj)g-h0$Um=Fp*K3HosQ<KSBsXUdd<bS(SxW@fE?KJxrf1Upi
zpN~XD;jTlv1Jt}Q^ZwMeDSto3^ABf~a`TQU#8;86{<Y~Semcd3`MOxS^)gjtdK2BA
z2lETM28~}))?PX3eD?)7eQt7VDlm#__mumIRq5BQZr^jUXrXKY99GRGM;4h+$CwG!
z!&w%`5LTg2o3i^KcCX{pkaP%iIO(JLg-fWP<RN>I@W2c8S(fCF8l=8bR@6!Zhj2<P
zdInK1E2OoF!V~aHMR0057p;gqyYlm0gZa8}&;33x;-g#(w#duSMUs&KnB5nj5$itU
zGChR^AZ`~*?FZN14W@m1u}TCJpRP*_xWZEltUx`r@YsvP?@4kFwwHa@k2r+|<4UWQ
z9w<hpl6>0bWBTUPhfB<yanmUZn6GQ6c+e}1{=xIb_ZtA_6!Ti*ub(M@7~s}LgOTn7
zC?wWJgV4(<o-Aw`%r#Xz{7TcqXDFgZ6b*@Wi{~5^7$V#vwfr3;q_J=kD<g$YR$Zra
z;8(HyWYy*}SE4sU5@0I)y(s=B4Q0vj&X8`ux6ESZ`}bX#;2Xc_wV+M^nb(Mm)XDNh
zI9GH2eY1D|<Syrw0cKt6Ub#)|Fy{gpScX$;7;*U;hI-qkeD4;#yK4G|{nrrBQST9>
zZZwW5%%i1^J-R}G)!XHz0U>u)^t*qFNb3Ajtk(4Sf$CCv;0;it8i(*R8?SGaf^D++
zUOG_jUBfwf&8Oop6t8;jg1-TNWMzSR;n~S^?EANHx)X~xn7U_|PcfI*?|TBePsHp^
z;0~}IMS}qm%%?g(^7^+)Twi7mF6={>kW2qo#4`im`_`>uF^mFj^4F@nh|25R2N9o-
z|60^DY*hm!^cq<4E%kk5h{o>9X)tXSCk1S`=nXC1JLyPJRpCedzvk#p^EioQ;v<Hv
z8kO~RDp#po=R;}OCGuyBdGR0(5#J=$v7a$`hRp?(`(X98X%nFMXdh{iV{Wq_3t67n
zmut#(*phszz76E){eDg87tHP^FWpizlv#fnRC9vfx*4SLsF?r2BAC)=cPA4>w8=^4
zL4}zpLLbb9BX990o2d};mO3{HS+yc+Xnn4(Kma9HT?n&50Ot$)B{{=q#cn@o^>*Tf
zr$;mIY}7s|d;{bX_eq{}X~{^4{Y`D2%xNAF=*m64L5ou!Q)84XA-N_S)uU>@8;^BY
zqoFwk3tGxzJ2ptkWkuYO@1^K895Kfd!*xt}>TCDq17f2e^=JvlHYQSo6v{57-vkNp
zVtOX&2o`lxQ2(W3rw0z*ff_kI@-T5Fwl?8VrDQcAfqp=oPqJ!bYt@H8xWjsb<~oJ5
z?}>NS{7dZy=LtUqR)xucz5xn&;?a!zPUw20gef=V-^v_GMoWXN%898Jn)6wizX2vy
zRBUW@3{&vO-14#WN~#TZ#nVH%6q-yu6j*0Tsy$NW@w^MIbjWwLl4LF|mBiDY8T?#H
zr<3x;0>X{0Jo4g+S#)*xX+zhB6nl;V#eXsS{>qrT+3<3!O!V$63$!7fsW<4K8moGq
zR}_Mg?3wbrgYXMM+ab@2PIp{K2&cIf+pVU;m{T6XeFM-YJe;jiX_yBtp`t6duFCe(
zQz6-r+@d<np=g}Xf7sX-a|yXrF@23xp;8nTy8lYOfkci@JBl-3;fvMtgtSowk@?n^
zR1`J$!o0O8N8QCyx_v_rQXaulV2YM2Z>g?Cy0J8<QoWBEOMYs(ikgn~jU6-Gngx|p
z$24@pRe3tQ#u)njssFCr3$r8&kJ>q!t^sxxkB&x=D;fMlaVP&U3o<BK$5)xucG`Sz
znVRNinc6h?t#7k6FR?UqZiTbw*8L2Ya(Z{TtSL%DC0%14uD&{M^Tc;98K=I6^YgH$
zePN`tlsf=#$m=`yQ$NF!Ej@#L0|f56@6#6LrD_9{6cwmok!6FGZqR4cWtB>KXY6+?
zhxJWt<TSl;+TFCk$jXKlamcK3Iv@1`h=vJ!jE<~cOlX4UWT<LIF>BEBj8<-({HQ@d
z0CYVi8uZL@=#k@4T8sq%00H8FNAVneN*vQl9DQhiP$8k20W<-)LGoB`1JiN#-1N1-
zBJsa(g&-LO0)8w8jAE&O^UtXQB+77T)G)9izn{QA@WBO04#QFdfizMAl%oO`;j~HJ
z{~+{tFSuYd2~;$92%uXF29OUccRQv!mxzESf!wfK8~C5V0*gr1G=~8fqJ+56kn5!4
z|4I1Y_QqX4>b&`rs_nO<{6ns|0JyO~*cyHvECCmQBL1Hw@~fuS{c~{Gyzj6qwIcv-
zxCd@XXd7dIh5;<8cUVC~SiL|rj!3lRF(6DgF!{}chPTi#Xblo*KS0I1f4~L_Yz=V~
zb_3VZ09f&WjWK~bRgNBI4skiaL^s;kKy-7s2Wo-931!mt+176HAFx<I!~UF!fAaM`
zU9`F(Qnx>$`Z>P0jX(Rt1wfuX`1<ZoC{Zk282Ro$mo98AE{u3DEhvQ1eF#l0oG~9A
zI6cI}EzPnyj3yq=(IZ1RrOaW0`anvB5>^Sz>~9h=6aNXe4?`fZ7mYGZ02`UnY?P2X
zlCTe+luDIjLm5dT7%5np<x3E-JD$+2m+}`_7_1+#-M={fGbUI{To@_eKZU9X$9d55
z{@HYY!W9oF0?qv$n)?uA9x~--JRq=#aY7XdgbYkp<~dR2_|1Y?bpODWDj`fL@VH+9
zdxT{jmWOf(3rmV}Bb?DJj8H>@77+TIu!R5bxRUy#tl;lEKgRznt_FD$LeOg8J<tph
zFh@Zv7-l?)eINm$O+;rb3?X#=&C&t@l0UaARV)BJ%M_3&Xqclgl-7M1H!&DZQ<k>7
z8!1@gx3LTW{J@pupRHeLyTS<hbGX8!{L%M;zf-E;a|Tj=_xTAH2J4?}(u`(*g@xyU
z4WkJRMs)n{@`rxM-$VVBF8p@^BA8=J3F{95LIeE*3l!M;=kUez3oHQm`{T`nzqCYj
z4(P_Z-+OBR!gzQBzi0hN4Sbh{zW;)M(*If}c!1hO;7?9JX()d+|A6{iSRk+IPhtKR
z_V0LL_fOtX?LWf8b}{~GSc?81@&5Daej<JHarn2=?SUoyBK}i+-9O^~4|x^}<yfN6
z`VClD5}{3DN7i0(0HFIPZ>aY7<%K7Xq)dusL;3ED1wiBIro;{eK=F*?{KfNqGxFgM
z@$T=!B9bCeh9EKgB>G_ifE-=k&{l{Da7B^`XQYJr2DtZPBtQQpVbY&+K>B^V(f2!+
z0niJU;o*PTZe&iyDWRT!Jn5FmAzs(BfkkN+bfV_^({`ipmn&o46D~pYl4&k0{JUJx
z>|GDLg1THrZ(|TjTX^iB>_6}cxWMbRQ{cwCesA($`ZK&q4Cp~Gm!MG=2<Y8uyVIB2
zW#|!n^*{h0#pb@Bv@b2{m0VIT`DRw*4XYR3yE|mH<h7s@xO~tMooJu6$nx;Eoh<{H
zRtWS8d5;#leTa+L4%!_u=~?6nLuUq;9;oNQDT5Zm2eW#T@*uklN}GdOcRBHLF?STY
z^1ZHaDDviM>xPV1ZFn2A-AlC-GMpZ6tHtn=TK8E>IkAFFvJykNmV>D6KH`iLWA#sp
zY}EM4zBH+(`%I1?aJbe|%Q_X5<dv{d^Ei`KIq5u?#x6&r!&Ob;@Eaf_gGVW{BRH|p
zQH3;VOl{-|Ch#~;j2vO7nf2sI2bPRzL_pEyU1CD+%Gf@bV(Doo!pHpm&d@skDbR&K
zJUksqz~_M9>(zhn{<%04eb`ybog`r;e4C%D^}o@gbicCJkJdX-+)4;J^hbIG6v)}z
z!4AD>0X2MuRl#D>tN}?GAC86RDb#c1eA-CLILuK?w)d$CvP}2MEuj_t1~5_YcychJ
zgsftG5XHCgM1#Y{1tbXZSwSe8TfIT&$@a!xb75YIJgNzokBGzO^vAh*22W#k<4**R
z|9o~wb?5bNSL&!Xv*l2OMeF4`VY1)pm&jh975Ss~8w{<9MS-(TU;ik+#OUdXl%AqE
z>1HXAW4M%sW)zmxi&e?~h#)kD*O62gjl%)RB@LGdmRjfd*kt2(i-O@hQcJ=Id@FCe
z)|Y*9Gq0l>la{+Ip?9bvEN9Mt-A)-FDUg1(X3CQC&f_?AL%jA)i`;}#4%wStd>nt`
zo48h$jvG+sVGdTd@j~Wj@nw0xcW+3XADY|^j`N&-SzB@Ge2*=>b6?XAbu?12aC$Q7
zm#{+VY~y)*WtE-tQB0HVC`j-kfHrsj=B@OS-;!vsYhl}!Rf$h&sP&r6xpe0@fWPbq
z$CPGhWV1Ks*A{|v0-Vd<Ntty0=)<e;h8J6*3F5H$lm@Gl9m2X6w#rSS0uxr=J^8}7
z?EEEnK?N5%MR(&a{L>Udu<`tG&fS|HuuI#Oh4rz;BN7*}K%09?o~NmJ|5ZO^y7UvH
zF{A&gpYctt)pY=tyB`7%RU@?F5eYh2ASa6SJ_yZwb^BBb<naygAZl`Dq=1(?^Uy^0
zjoI55VxsWXD}(81`fNKp=x~lc>DRpU3(rfZ(-8w)7?btL+IKk_TD!O7Ka$o7cjid%
zDw^EGbMX-4REhOeib6pU7S;&dRS!A&9~}!?XVlW$`xM+{Xi%oE+!CIwY#p*#9Ga*v
zcZMiCGB^vDCS$YqAGD_@c}>Q^x@ITNoPL35H;rV<@`!$1w;gtK6H;B<#<dsR_;^g3
zE5SDvT8#6)fyB++EU_%P#`QS-s3d{bYPjA{7WYXD`twZm#m=prxYh=cRj*>37Y+k$
z{gEq43Ll--b&T*#j5PN9P1Vwx8GX5x{>X^*Yg&7TVN0d65B!Wr&=t{q5`-7!$W#~g
zyu{vVgz6%Fz4S8>wa^IB*Ks=O?#B`}-ivMssx4kpPu24hlX1ZH(<lh5(p9<8TwLm2
zOBW~#&*`a}ocRVj2}(JA&#vkw2FPx`G&l#v3;aL#l1V<_{!0VsUxGG(*ttQgU4|C9
zj1>HDfM<*rD!CsMg^+))|4(K)yjRBz^R01gg!RU6MsfJby5%89mZus0(_J3?5TBZe
zYl!>V=7XqFpA|IOW*nH8!d*ent_7db<K}Zhj?5MgO{90bhEf=wxCyF+==e?8+d0#-
z?bD_4(q&Apx~{9Z-4Sh;MqSO~L|#PXcDwrlmm#1ORqrvonc7-;kmn&e)@om?cycoJ
z$Qhv;pF+ZF_MxcWayBQu5^Z~F5SKeG`a2k~q@}Y<%awJoN7y1rcy(}a#X{+#9RH#U
z;-0H}X)d0UFM3u#Nn^6HflS0nB^@X4I9kxt&=Z$gudFEjscU}vqo&>H_rCibGZyNF
z!SN^pjO+h%FJyex<>b9viIG#ni3m7{j&MufI^b~5hX3Do(g_A>dl~MP*GY!JlbUxy
z4o^5s5m?gQzl1R$bWaq=B^ggi&y&AKUbrxYecs_kEWDZ#Zo0?u`Kc^!MqI8h@G^)C
zztHd4<0x-lWUc!H4nLlls#s~NRT5uU>N#{)u~7X8^E*P2n^Wi*bIvlBV^D!{(l2}>
zLit?})o88yt8&%D;2zRTJ$C7EbQ(_*Oh#tgTURd08R&aVPmU^_uv{LM>)n4G$4RaJ
zev_A~bDQr&|95b6@l?2e`5A~iOMV!LkMH94ij!V0@JX$Fe*Gl4^wlkJ<F8d=U?XE&
zjaSg96Fq6b{4X>@Y3#jz!c()ZSLsfK2^S7ak^`x#V84NQw3U;xx|ocXT(lP^YHL%#
zY*qQ4p_K?!IrO`*VC|DzYOWfP-{9TG6)4=3wDcUGJj7&ETF2<h3NqwkCAZ)-@_NaL
z=e~b^mb=gN5lH)M*F8IkRz8thI_l>aw%`>K_AgebYZS@VeEKbW&9<!d*BbWV%)|_y
zu8iF)v^AkGmu&J^FP|lhL*0Wi#=ja<P-TBKF>Mm2mA7~2EpqI9Sa_jeD<5&p?fdD?
zIc=T(B>Xe?q1Kq?;lA<6N)C&@tN3S=!ee?ewJdrq+>;E^{oX`4_R=Lgm}b-Z_hZlm
z?y}<GWa*ZKp${2<wq^3eMn2_7vb*FI2v7-k#%yqd@08fCskYAT{iZ^dFFGvC0DSb(
zBPyd;<bBE;XU?>-KKo#Xdr-FKTJ4k`7f#B1F2lDziTIhon#J!qZBUCg8DO_auY;W9
zkDh~lkgOtddm7~`t}|CTh=eCm`St7kXp;B)c15ekpiKJN^yBFlG=~q9l*n@soVH9g
zKo6_B3W%g@W7n%5SokEoCFb%Ez2o+M^|Rm(mD=Ippx0#n^_&3nV=7K{w@Hb_{GY^j
z@gNSfzX<N%?^?&Y&q%hFg*@AFy<zv)#EEqn8ct!_*|^C_hMeSl10YJ3)wapKq`L`N
zR!?^0-|kI*SCV@)mndJP0mhA%q5iKnu(#*ME9y?-Y{&3}i*=K6<g?yf8+ly!#D$8P
z2k(FdoXx>zG@d2+9_i#0^gEEyV-6aYl}8KDHRTVlpMsLD#;Xe70&98Ivm*DW4(XrE
zndTt%bQVf)#KEiAYs~9W4oiARl@tezIRm$ypo{y=6w)yF7*ph*Z(8d50T<F|Y)eA#
z;uY6T<?h_ZED0aKElO+%M`~V*FzS$XdJEhteAh=DBpg(U$sqdZOG0K*PIbriW7-m-
z<!$HbJ<g5cL_uPwYUseitc`xn;|jz$$<~+ct#lJ_(4Cud%OkqcdD5NiTzlI}eHt)k
zFFg`PpFcnw5gjaup}#u3z4P8TN-_kt{kim>A=0spi)lPC=~)~6<j1n**oQXU(MhxD
zPMO~TOWi+>)c#%rIi`g+(&e)v+bT*LfF}MMEjRVw0E+L<x5<$^kRvd@?0^bnr#deE
z;%g<zC_sG0G(E*N9P}?fj~>!zxt#N*J=Cl6c8`=^Ga+13VHY6BAe&$IMONpZ54SVC
zkfxTM%G~8AT9f#Y_PQsEz$>3dVV^!*!SfryZ<6U7z*n?)@O%d=bVL)*PU-aA$p@7H
z)^1>LlnRGGH$U}0N|ov9o0(L<!70tB-N$Zzf>L(IyH=am$0J=UD5S{5pFi$ij&-X^
z((X?@Z%o%vTawOiY#<4;OhmyS+<cg~q^WpLN7dNSo}#4uUbTTX^;V%YeO_!i!K<W+
zyz)(`tOTQbQ?7|#k~$fZmMG1HonXy7mZ^Q(6gky+Y@}$p-Tn6k3MMPm*aY)wJlWYZ
zULRj&o)Pn6eBF7*bGjpDPKUG?c0q;h_ta98KQnbs8oJowq!*+XAFP1xacR;U{v?+r
zzEUjZE;O2^;F$$JoaT$MFa7!Nb|J*xzOIq7&mvFBMITrm+Ns7vce<Zp@nm&8obhVy
zeEvPbBnIJuF6d=?-q=7YRsqGyCquin3g#ikV?iS_?`afT+xztxbg#NoK*pjR$B|f>
z?fv$ePhagXoH#{En><^PPcPgQA)In{J|PyY8NI+ZsOM$vS}TRq6L@`vox0b(U3h6-
z6`J(sQ|{-HJ9e?9Z2i9{;D5r#FE(pZG)Y(VMj<VkmEJ(9G1HD~%KCrMn(VK;ymbR@
z%fqX8onkFRcEX>QMZ#lUN|{^f$Vdqv`FYvEd287^d!wtA!han$`>1!ebt;H_dgUJ#
zhnAiTXDTUTa88^hLoP@kRqBw8{Hdf+drA(~?V~^8$B@yx5%<^TPwA9ug7WXT`ZFd8
zICxk{m$n_9b4l}6yq{*AvSz84(CFCD9QRA^`CG{M%puVz+>x>S8JfJSZCn&PwML~l
zN08#%noi+qyu%0zjM|Fp=ncO{%QWuXlG({cGsyaM@52p0aUCND8-A;rD7oCr(El!l
zXC#Nc@z_$X>qY37rnoVpy$;$zhySm=uYihcS=S_igb+w@x8UyX!L=c{LvVNZ6Wj^z
z5Zv9}-5r8U1C0e~B#lj<bKZULoOj=SYu?P9S#xKm_g=NC_TH;&mwo?V|NiSMd2-9?
zu+HAZ!r7RtSD5Eh-RW`1gu4l5(b$zbslggCCK;Q=zsyrwr_EgdUK!~mdgt4&6gm4`
zE^XG11^a;c-mrELpMes=xMvtUPA=;7#*x<J1Hs)4euk*P)v?{ck3hb@KvlZ6kE`NO
zU9L2!^D$HwQ^kciQZ|#`k~uMK9#QKOH@;m2q#ujIVwB&NOof8GZ8My91eo#OagqeL
zKZ-?WOFg2tWb(^-*0GqfPwaEnuZ}ShFb?YR7)H1JvL4|U!_*vBc!h?h?BBO01+dHm
zQ|n&ek}7f~f7?taa@gRn`JqQ#93$eJ%WY6s(eH`b@j8&pb^O8U_8CUA78MeT=I9pk
zMoPrUC}}V+tK~LZzuQO#XZEQDzpJV5_9;2G?OvDSFwVbm;FV4I+f@wAMru0iPio8G
zDr$ta4gaYx2hqng4gFq3Z$F3VS+}J|Bf#k>D)-@5U;1&+FB^$?+F1e0B|YAkI6R92
z?vL+61O)YS@o<?0Uv~z2Hk@#wmNMNK1Nd}O<ejE1Tc!OsJ0Dp1Ok;rsXP*I;&1Ys!
z=z{(-nL6H(8)86tauc;UBc!HvU~bI96I*`SE*uB%aDWv{Stu6{SlJ2Bz=g8g=i6Ug
z-TCR8F7j^dy_P~3NnKVpKTEDDa|Qklx>6O5S5AqnWg<R4d;U=9QuhR>-2+|*M`*3$
zrkynNKID9`E(@wdFXpfrFUC|#{5ZXM>|c4)x<SC$pTIwOvc75*OP^j6gzkQMAED$!
z@w8!W+iORp$))Rku;vsJRO4?0yyzu$%-rs!O+5QxqHuj*BNbg}5{}on(P`?VQHx|f
z0sXJOaXwQ-@D*Ks&0f2WePF_@M<l)imr$E25&fH0rz~F&Lu%VoLWK5?WP_TqU%TfD
z>(x)-Eq(%*`{ig;2x3httGA4A<cSlr(tyd4Ivq0e4<dbs;)AODlP-=ZY9m?5p6$~n
z@+L$NS_0!_Rr3D}y4v5390OS@XzM(~6#QCN;x(iC%<I#X8864SIK`Qs5U!<w7ag?h
zTmr9)l>LA1F*}ueUO@2Q31)DGfZmJfdB5{{b8WS3OQzz!7e|>{DUQA*TnZwS>+-oX
zqMGmIA)?c$@H&??&dw6xK$|q%9=Ly3k{_)Yj1C$_3ukix_L2{wEkZrHFv`bgbQHd|
zR_I*H0YL7Kfwh(BzM&QwtUtG`5(^E*F6F%yUV36zZm{U~FF=iqHMzH2fDn}(zH<|U
zv}}3BFhsHYp`Q>c8YA=_AE7M{gmlV!A4e`fyO=Y|Vev&MR$>%;M6I+n4v}hdDZiz>
z0N!HdLloR1j2y$->{_7xZl9;Gce#i2vddWPZ%8>NYquUpio3wvDR;ryEI~gp4hhqs
z<SGaG#1e>xDnc6Nb0xlH(Gjy9ak{j3ygpgq9Xm5IO1vkL<HY(6+xi<NBS=Di0rHIP
z1}z_9qfi2OZM;&1k64s58jIePxCZUSpn^gkUbE*!F&#tU&0EM1<N-xH3Tg2bdqr0r
z4Bg~c*d{&y4<r!CgPviM%+x%d5~!R_(XAwYyx59SC&DM9agL!ia@b}M%O9fdpVbo3
z@r*)U^rrDe*<g6<Ro^i#^%T2cl!P(2)UrkKT_4slylw|RddH_IwxF@K|0!<~BmTYm
zNW?9gR6K>Cvci0%E-I07_G>tsU4;idT%=%8lCQ(Ytp64v{sQ-h)W6*KwS1sT-jd3A
zf*re3KL^siFxt>)4i~&len9{A0tMsi99Wx!2V|x@s^tBuElqLB?ve+l-%}0bd+OrO
zG<C!NIIU_z-IouBfCNoB>pFdCbm2xKr|zX*eup%_C>4@tfboON{f2(vc%=KMIIr<B
zhn2VSa!ZGL`a)l5?Z`deJs`e2M04ff>%NYNG$1?i@U^^WK}T(2NPHX6B4_PHPAHDM
z6KFkmpQW#oE`lDILt|k{nWmt)Rd{`4avu+M{6?Tjv5wTeznyc~w24V#A)E6PH6CkT
zp_Z<?^^-<h<KI7D$4MR4tLa;ISV)ElEk7}1pk;-O8JYL;KE^Oj=o?an2IU}%U<ER~
z(L$*wA>;CE0bWZl`v%DPKke3hyz-smGS*~VCNX(HR#DwHdri5Y<=+S1GhH=Ma#KB|
zHxnjLaJdyB8mbOL1Dy@Bn!Wbj7=+P%MNcf5yzBQns~#+rSMTL3xR=oB@^ABHD65_#
zi?G87gPijVD5+ko{g+RlYyQZphw|{cI1@eBSw3urmrCsLpC=j^b5@_nuzl`}mA1V_
z!h7e@C1uCPYnvup25A=ogy`Au`r|Na+08-p<M2IVj-s?37z-y~yA*CB9<>-<xu<_i
zN|v=cYyfCp>z}>l(u?9kJoffccv5xt==4`rm7v=X0PtKhZPKT6OPRAJN~S>+lgNc0
z<?23qa&e^^R4LJQvFMk@B9qZEHf8d{MU`EPH>omy*zorcGQdc5gtRJ9V}7?qTMT)5
z<(=Z&N$q&tx(!B4-tpMUDQRV{XA;hjb7q`9GbvhP{ZI~^w9HLOjao%NY?QHEzRCKO
z@b$FJ9cY4k5hX>}uP4GfaDbD}Qj#mIgnb?fI^NQwACx6u+Y)N`B|oYh5s-}Gyu;yE
z2VXsH2J<mFOQH=YjnKuw<1_F9&{M%%kgm9KJ~z}3l3oKBsrN_DckN3HxH3Bi90-Dr
zH9ky}>nU?0`oyWz9^cO^vdwO@;Hkmad*xxC@I^~Y45I1TBpiglU{Vf%7CiRwD<7HF
zjhAfZ;B)lD6Utljd}34;P0cQkSj?R7D8;I!zX@*`x`czbqx!L88+4tm@M^9V68ZZt
zds@i6n+;S3bFYHp2v|Zs)$!AHypZ$=+6yPyS6q79fTSl&pOb4zx|ykuCYE$aZRpSF
zcBx@n4ppTN2f;Z5$#NQ{Y}<>Q^};-u%0~Mg3V>J)V|x!o#o@x9OyY+f*tuZ6h?#$m
zD5bwCdGZDCf6?>tzv?OZA3wh-o}^v9xfb6lvnu66xc)#1W@?$VqL_CSi@~!ClUk>l
zjY;Wwit>8{!Cn=wiN^rZy^)Uiwqux6F}RNq;<w4)5G)GdxkU;i=6{O#aRI>&AYDFF
zZ<;&eLj%%=wyzy!A=6>TxK4L~BEF6n(I;JmyZ~7<;-RDXSZZHl#vcu;r+T8hSYV=f
z=~W8X&}(IVZ!uT9NsDgBNKa6{!xtDEe?dvZ9=W09&Ob=(a5yzPQQ#<MSAG*u&_gTj
z<~&f|Ef)jk8l9XC^NcEotSg7_^SsW|k7H|ZFe~N9l%WTa@D|Q;C942HSWRBYd-_0H
z2(t$4QoxN7rQUK67yBA}yIL~_Dg$b%B?=N}BB(OKk1DOgube`MY%(e9!$D*3`?@?x
zUb*)qq2_*iJ}2fqnlu=9dM+>bF+wfWUCy2MXgSWwQ@oau?-|C>c_m~553O+UEr5x2
zki<{213{ru&Wv`U2q&O3R5A$@@w_KH4Yxb5jb^$=7;}$Uh7eM@hJAdf_iD3H&3Vti
zy4Hj{O7+|qJ{;VCNq;31q3Pk+rt|PMxS9Ta7ep>++UY2-MyvN47i<KPt^)Q9lqu*u
z!XL{Cyj#bzL1&P;vB?YTs<{*;rgxIZJff*rm3w?^5dUT)fP-_@uFQx|S;C+p7dPdA
zAJ^9WUITHECd|{Wpa%=a&9X4>i<{#y*{HdINoCZQ5q<K2ZiMNO2+JHC>s1;X{^T~X
zlbvYI&w4{8R%=(1Kq)oPNh`_a>Z9+_spc2uz5~Qzif-Ugx4?$vGt2^b2UkC`cNSz`
z@I@j2a@)(_mNg+|$_&Qo*6HKPA@_GZsqbAMJT$r|RL#B)Ci0d90knn(!fLGJNAc?*
z&T#_cEcfvN^o`@unD8tUJ0JGWhxX5y_Ak)g?TvJja>KLW0x$GcQY`kKI)iRj==On!
zv1tiZ<mbYj_Ccejb4X4%P9h?ol?xtwz*ygfmP@Y4zO)!#&Y>*I7e$8*9<Z)5w<`kP
z$J}|eferCQMZsSvq=TfFj@w?=_@+*Hmzu%mS(|6%j;yRGBAwjr8~7D|NCpw)GgyHQ
z<9fvI+L&@%`9evr5v8KJyQJ#XaoI_;)ZeNFHEJ{m?aib*RJDpsU}EWljox)>?`=Zn
zIJ%U33Tcuz+_!xQr09bwauZUY`sgI9uuX17uWUaW0!bQIZ4|I`e3G^*D8ga&+eoM)
zkHrPAP-*a+RY4DAhx#U^BK-bR*U>L-+?URibNo>Fjc^88BLC8Wqftupl<$3C^~pbV
zaLOlr52a53S7)d{nv^9^Tb@4LLdh9WypkShIJdgCKmGCc|6JU0&HB7!%&#9O3)pqt
z9&hUx#<^+(ZRmeJuQpTMTI?R}9DHLg_!FTV;K<|9G<35Cf<E-X?!Mwg)u3GS8E5O)
zgUzKc7||oOjE|)nsHZ_r61znt{5Y(KN1W^dr6nEJyR|+C<bYgT@YhQIpjEr=Ae$L^
ze!M}<a^Vi7P2*M$C^d+esQmO$bdOFyf~wEFYiVG9ZEXu>_*;hgnv9YbEKR$3nlE8S
zH7Y<G(k>P{XUZnMBl&E$u(u&jym$;EXCzf0i&SN{y%uIliwF6Pq~F#qqH@qG*bg~V
zq%RyeRG%WHQ>!P!%Tohrb-%IqGpTSEwK^KzP2b1x=WM);brzxReSMZrjV0EruxH#B
zR>8b5AYHya_hp#76e{`r^;Q+B2ZZiB_>Dw@#U*J987vz{0fU$-H=H0M_|YlYyps?l
z?AMtM@zz_C2Q<WNISBqC9h~$W%61q>)~e!GqxlahRm%urs)Q&F>SW&O^gf6etn$l>
zYV;1?*LWGht23=-lrW9KjE<nMDNU&E18x4+Ss;w|5*5^-$)CGf7z4<Y)&g!aYTJVO
zd>?+2q(oup6<eCiI}eD^qO&4i%FC%rU;(3C+_6s&Y+NjeZwc9}{My?h6)G7Ic0QI;
zchT&n_mXPh$`V|exr@B3)}%dFea(J&w7@D-m{^cruI~_;Z>6R>CVC-_AN;v4hOsW>
zW4*1lm3AAoPPR$rj-ZIzYq0EC;AksiTw?1X3;$<jo1{=@py?9LK#y;rtA>^YKE1Vr
zPf^R2zI0{JU4$jEMxYEOpMIfoZ@ziVJM2U(99lui&mtulg1OHy_OZ&KjW>WOlL@O&
zOG;9iAz-r+b9NVSAM{=@E+bBf`%EvnJ!1w=(7fikn+qb#<wj7k?p<@$Le$D9=q}pS
zdeRIQ@{M3XqySw6JPnB$kCZ-*KDn0NV2^hkYxYC<FRa%yu7+d5ygRL)mfWVe$Ol^U
znc90O0L-|KS!6m#p}kd&4F&%tIbrjwY{J0QSFk(^-<TVQTHpeBd+*K=mjNoRB@A=f
z+VuQE<)$fJQdU{>7SvzjF!*0k*c%G%etUy;CKn0<^K_&<z+YEkJn$9ZjBD+I)HZE4
zfL%4QrvVbua(Z9+OE3b+ujn98b02~WYQk)SnngTndUNS@Whi(V=8L1TK8@`FtOp-_
zg)#yzD6$hWMPs&mi<95P$ECA+Mmv|DbfWe_SVPI8xG7WBRz6@tL}d$Rx$c<>-)Xtz
zUsC1g4`CoK8Rw^cA3wMnaK_)BKn%oQjV0nqyB5zOxwg<D!(BJUR;MD2(olajKS&gz
zR54!nY5mwRGm*TJY`5%7YYtTuuQ##DU~@+Ga+9pYu*M#G``21@5CJPg2*<)`I_jcQ
z6o06niP*pZUTZMWwrsJ-r(Q{UySRZqiAk~O#d<~wMy=9OlIIy&FWmxe$My<P7xoQ?
zQizUptw}<jZz&SUm?pJXG)+yHKbPIP6rFHHXB0zjCXZEedY^L0O}Hf}P&#5PnL7w*
zE`WElNQX0|t9^f;JsmZQdtCR4c%{*?%~GO|pH5V7c)6kTbDnc){iHLIy<>7@N;#=N
zhnH$4Qbz0hvp1I^4U}{Y;{16<iY7_fIX_;Ul$e-4g?&X3;++qi^P3Uc+0yjWxCE%z
z1X^n#%k3q6FIEuta58`gpMwS%Uq-gOFyfDkcD^VZo^C#7Qb-=@DT|1;!LC4~#!a+)
zWE3}W%I7I_K_Det3Co)qb7xoMT5gJuY>qob{mD5r8Gz$`tU0(07T21!S!G-MS(Vor
zLXa3z_r(gXZz?n9tV5u1ENS3UH!8EFfLWK{w{UQg#`R-nJj0%T%l%kbR7d=0HaRfa
z=O1r1rL8|3Iarh_W|L0cznY-*t|7jYi)P!IB`R}t_6aviEIEU-j%OQb*OGr}0E=}r
z!i!W?>RgWHCgUf7E*w67V|T8nh2N#+3umn?Y*QyKuQGj1;7rJZvu1r*b^f6N-L{@D
z`Dl2UITJJlTTc*LU|AituB+HDeR&D$I+If8AXh03)o$<S-%^O3SIy2hy*bPOK|>Zw
zbs=#g#Nn*!{-MMfe~^uUD!I2$k4JLSQ%I7lj`)|1t5PsSy^!o=2hi%YZLR64so6*7
zp$UA?Q#paCt=DxL6+wNJFECZccaW%G6_F0z4dFMzBJkrbiS+M(WUeEaS3=A`95*js
zL!axtl~cb{{qJ<6{IgT#Uz;k~*&v3#BYcb9UBFt?gYcR5`R4ZLzZc5-$Sro=gJ+TD
z=?5wB12GZASc3H48h14pMmt0QKly8Ia735J1H$eE#(ZCU+MPEccOmU=-7?(af}UY|
z*90HfVxaZAWmfbIgJ^$$J}HRoxcMb3``Y``Mg!_X%~!bl+Ub=CH#Y#@^RYGfs*y-M
zCh!W)UnLx3*fI{VD2UD@GHufRs5VWhx%9#0Hbwa;RczR1aV>w*uO`*2hKpSvYlN0{
z#ztO%TH;Kov7?Wdq!Z1qiX=g$dZ01U3pv-~!h-FJdqbv`+18L*38><2%d;f-!O4;;
zr!&X5Z}f_~@WgN2ULGY`qd6vL=R+)rK4%Q0K-kA=LUo8{=9HO-ik2~za!wT<&?3H|
z;w<~2UL&k~*9xOJL8>y|LW~3HgMT<~v^@nEe(W}eGTLZ!P&#aJ{;M$!T$gR#2sHob
zf<lCR1+rsu{_Kh$@Vw~DKQfxhugiP#gINz_HeRPxSu7giyNxW?7RkYhFx0R5Aad&P
zg~ylhGvGCz2eGil4e_kux7J6wl28np+m`0#uI@0Le-|y(Wjy`1_%<ob`{NGC-)Rb#
zs`<;)PO*IPLH~G?f~rhmicGawkbVLN>E{40rDcDwGBYvSiDaMtHB+{2f(L`y^+@cO
zF5II&68P6(jJY?Aa~P9%ZSt<u-ol}+M9oudgz}J)#S(c8*}Tv0hdow7@RZy3wX{ob
zqHDv73V!D3HW)KI-Q(8l&K|Z;`ukt%h0QJbTAvdd0*TkK8xP3T1x2|o6YoR0Jbdvs
z*oZ0kWNq(LkQvKjf2jYmCdkTnOPYq41TT~vNZ#;8lZ!6UfuqsgmYpgqE}u(Y+^{F8
zMU5}c@XDeyWi-pMWBh=+*FDswgNJFKl4;*+N#;^Zx;Ssd5$TwwCx0en*|VDSr?#53
zBMMonHXg}WHR{J4N|OFP4D@gZm;FiQ#PiK*{jJgWyed?9Y%+CBDMGJKc%z<P*sxPr
zoV_@+%2MsUWWxSq$JI7GWnV9LI<+(6YoeB-J)&}LMK&I}%*O~9tsTsMqkw7*U@Wl@
zFB){R>4~OE%m}Kzv`=Z2GixIBL}yF08t6=;kc2MM)lnu49Eme;<WI{JJ90x~wlkd(
zV`7W#BEKSUwQ(o_r6i(9(=0hOo19--=Q!YvhOi(q9w!o9)x{t?dw6?$wq+q{CIk9)
zTEo&fBo;OUwSH!K!+D&utx75b&ebc(qNRfJcjT-yd)@O80xc<7yF>|iip`_W+Y*hG
zReSW_WBbNiX%nJQs^;JairT64$!lW)8-F6Wq0F?nN)AxkRpEsbG`1hRQMf7~ZM)!T
zw)ZpoPTKM>d#1LRQ6C$Vj}&@7!-yQUzbDs{&g0J=3u^3Duq5g_MYB?*5<4<3Fj^;P
zn&>aiaFC15PRuK7Oi6-I+RAW{$kJ-~JbL-9vuQ$IeCs>90_8S<gBW&+29S1KRl)N9
zx{NN6Wu$?G+akADur-Qvq(12?poNtami&hvN|}Oom@+rrLLzHqel~}AK9wFB{gSR-
zngDN7r8qErGpD99mlyFxxO^{TVfv!%FNzv;=}x6vsZryJkqadDQCOKD7n429Bzt<$
zqkL7ccDmjH-N*#QBW&e3*RHi@W0$VQ_caQYeR{xlzhpy>1{;#to?$T4i4@(ZMs3Nb
z7el^S<^uw*OBba1gMXf#+R+R!$ha(#cn9^kdG=`Ca)1Sk>yS*jv`~Q{ghEbhPiFkW
zOtvGTj#pc<&EZ^(*IU5cAZ%Ry91He^FspDw2)TirTnJ&KQl~K_)&mpYsY=B3MGpg>
z=6h#rr!KnD<iwpRD<PJS8(EcvQ2<EMNF)_4ont|JKlB!FvRgReoe-z|%xbKCIJvNu
z$quRgoMv99l0%gv-aR+*GYr)o;!8E2O8pd{POiAMpUDv+o52p}(D^137)qyPOYDm~
z)B}}lY|usKLCrpQX2ei=*F6;Q>IqAqRssAw7$>$*8_F2nss5D{eyn4KSHHapOGm$&
zTpfSd105WS@c+j1;{Yz9bm8Bm&jUl>k3R0-MV8+`7FmyaJosubbxwdmq=Q5~(ZFf9
zs@38W_4hwhB~y~bjMe9ui^bU^2<1P8ryai<w-3uy6!nuE)|X^^3A#D-RbzXM+~x6~
zz`72j<(<ARYzMs|4tKutB>5_1&3U*l?n<ZntAMho;AJ2IHedoGW22i=8+AD(b9XbH
zcHr56*{JTC)>nF{Vhyt%wC8UoFPAOH$pL?sGY1bo!&E<(Dt&9NNiB64Q#=);Z!ezA
zmCi559Av(sEtEs+W*_MLveYDMo*?=iL&kbtmpc?`M?6ocoN5dqA^20d3WJ+LL_)0f
z)R56!5T%DdIgRR@GGk-2dB)GJSp{7C!AF_`D3|_zeC=w%Obe|o#%Lyvd{P<19PEco
zQT|)T-)vK?PRY0A4%UL7CKCsBdZ@=Ic`z^0fI(mNVEM^q5OJ40qAC)W({5&Xe~`MI
zX{X7$W6j6v$SySa2B##?BW2<xyJ#8fmR9XxHyenoPkt*ouQEVlTs9%yq)(F2>)Fo0
z3#h~Z+a@16OU3Qb?>Wwz5FjEOD{>Kja!|DzhUoZvET0##a)QL*famxSA1zx6+qR6}
zSJ&2gVh>(}Oe60hBYg9z4J$FyD3w$11_Oh{=G=mJ#YCNG-p$2%OB-uhnB6!vTycMc
zSZSr%G%^(7^zG<h$zE90oW0l|O}o<*-`T$1&hRDzcEJh=9gF!CrZ*tlbesUzTSQhC
zsC;9DPgVp~{GDswkKuWf(2K{ix902fvZWjE5-1BHAe!uLv$}C{H1UEdnHUNV^2AE&
z2GTBfLJS;@(->lA0MRaRK74zlx!9@0oBlRvx}43kU^$tvAq=Mg1~F|U+NC&-e#}u;
zpSk@gi<N_rRzW&J0o|$B^bz0clNk%)Jo7A{VM3dVvNYcKX%g(u%+Gmaj(M2DiJtEb
zuJ8rk6{1Pa>zMckKRC(kNi6I3AK+x_U~X;ek8n2BOvu<S`frnA`lyqrewDo|Peqx7
zZq?vPi4r9C{Sm?P`(8;3!DVs3Dj$;daY|Mx!;4i7`OpKonHm<HJAd^<6Oqj?xTf47
zuQXdQ(XvcSmRTB+tcT%L(zO>3E>({bo`(r1ZVa(!K1NlV-PhHfDzg$2yGG9Tq_SGi
zn{^i=`?>?AiQGx7vwF;Tbt~z<cHj0Es|X8*2OS$^SjEDxOLxdWS&!o!83<LU!X|4R
z#dp`}WQkm8M_Uwc0!YOiO{DhE1uuCZXYMR*-|;J^oQGzKlx;JQdx<yWJ(4i6n#wfU
z>+i&mvPbieMmg5;RLkOw!qb`P99MFUU&x);G;Y%Cj<7PmNBr7e@aCwHbs@Q)@0_8*
z`jqJ5{U8~>^A9~#q=^C^*4VF~t;Aa3%M67QRe|C@OYAy+X<9H%6PJDK7aavHSASL*
z{*k5|^BVDizW$2Qukd$RuGkMiQ|}6r5<v+hdGi+qbz1I>zp2?#XQZ{ZyFCwdKfE?>
zJN}|zYA$w(edRw8GgAsrSbrEociMlHO;y~P)mN|DTCKihoMNx^n)@CsDe84Wjs2ll
ztbJ^lMM%9QUmKy&su3Qak9ZlZH(8v+FqDc9Ec~q9!X@cglYK&e$p-5r)l^EGSAmSf
zgeL-DxD2)vW08?BJldmg&?cR&2x*+lMEiQF6<#=wuz{Nn+$+9yBNRF4e-HIh{G{n8
z>?3<!8zG+rg;uK4U!irOzAw**75>EOuqZl@L!QTyzY^(ycF0L^CI#)A{s^6k%1Cw6
ztAa^>IQtli5qPDAgr8dVj9O^gsE$NINh4ck$v+5H^R=C<la6eXuCtqBvW*qWLcR1v
zE|PcromXP$5JwQaLuZ{AMAjK}(R@X2FIgnjof$}PKxB5T4`5#HsA4@-CMmjmlt-O?
zA45qZVqy=av6`^9q^pU~KVWMYII-QbGCGx3`Y=Y{?u9CkGwhAnhsiW%*oZPk;dP>u
ze3S!BYkt~*CA6fdPPQjUq_#VG`}Uk2B(am8i8)}H9+syhs0}lTP*6P`kB220{?gj#
zgR2yYHf}7Mql=0(Q-3-6W(&R7w_QkecKpk8rV3T_if)eDF1tfru?k6LvQE*k!8Qbp
z<u1ytv2;^*1M7sULx5I`-BTAB4&YKy>h+63OLQl?#h;PW=2zt8yq&c@9q!bXUe5~f
zAoamuw4|D}SQBxKAh&Rl4RjPVoS2Jr@E+o_2y2CE(#7A*xUUc8cJ3>MPKTAx4*(uI
zxN;+LN}Dtp=9E<0%~^%}HYy@lJn7rVmnH>3`|+RF>TJ<86Z_28ytJLeiz>XMD{jc?
z`<h{?ee1+rW<&4R&W#@K_-BFh*5aj&oe!jwn~R^r+UK(7PXX;1<{qB;pK4SRo8-6o
z)nkKaaU&wDrWcTm8EEhg+<1B;7NDv$*4fHUBV*pZeYP`m{OFkniPW1t&P-4AD_*~e
z++=i4*`U4P2?8Ee{%^H?KV9544Br^07hG8pg``hGcW6oqymjIX+^}%=L`RDZ(_|MR
zm;wwsu{x(@kB51PwTg9MmU3FD=+~9F`5NC}(thW8_p_zmMcGtP)|7H4nZk14VSwv0
z!829N^Xp|$%rF)g+0)j>=LU2QU3_QR<7%T+GlY~|5llP&Xg-h*j(U(bT2<X#V=c&(
zOyJY*TOX$kONF`C4*UvvkC&Wl@t4F0?y?HWo}`tPp5e#cNjL-P?Sik=(yfpcZR-xs
zd4mahVOytEOvDvnJ&k<mw!&I}yx4F7?0Z>kukH4cgU!wLc{4`z2&yPO%5|&bbYHbD
z$U724UhapKU=Le%RF3hST>N3K{|~e+obzp_^V&K3qDRW#u`wR7-G`x^jCiN^mw^=&
z29HmzB71*T{cxVJ{@&aJcjp8Bssa`I-Cf-nU4Cm#cc>3gGsS;)JTlGrK+RnnMn;er
z?vCWz8@;g=FD8?d|MR1e*Y{7ruJ#8GN)QDLOVWstnsfg9Prx#X&Udb^<m-$g1`}T^
z)^wd$8lOP!dLv~MbfqypjJ8Q<8R~P79p_9PXWI8uhX>ckuef?g9UkPXhi`Y_10gJG
zfU*yung!4AugWc2)Av$r^U58L4<2FUZ|nr9o#{!^S~OP7!-2^<<wwS)v=ygBuLx**
zLngO%;@Hc6u-NRnZy!N-V_Eflb(;l!y{BkD6=dh)%Yp1jl7OB#M9tYTprGN9uw?w#
zizi{KMqdSPU4`=v_3ego4+P+<O*!f@)oHN;vfua)xnh~NVgsrR>JHsP?j-DpL^Jt;
zV=oXr2ScP^=7ydr_u|?u$cV{g{2|Ne8OG)id&4W~>53alBFO*h7W#S3BjdfK!CyN|
zF_(X&_%$n^B)r&Mc8Sm#JTfu!DAfPsqarF4zg1CS@BdOwhH4J#EZSmsjyH&Pt(46p
zXz4xwv*b#7zi2`sEt})Nm}H#KjK#ivQvXMzx3Y7ryAo&l_*x=O_<uBy-`|fxt9lx#
zT>fe75~{=eN5|txu`hJ)eJ=0}qj2sU@ibNOP$jx`?I(Ew<>3Px-Rk<P=lgv*(|$nq
zn>*i}Sqy%=<kxZ7bpqKO1q&jpk-8GWWp4>^KQ8Gff{3@glAvU9o8Sk^$y8^9IBY^W
z){LvAW<Ec+8NZe5uEaxcD1YNKOa!zagNDvpAF8CFk3*r1=ozMHi-rDcwHd^{1?^#(
zfv*N6+zZl)rCJB;-}u-8J&EDVpgR-pJi~N*I^0)w(aj2V-!eSGcY*E@y}_7>7nw~Y
z0o69ib??!nNZ{@_{;eGP5Bhh=@<J|4Ku^iLU*YriQ3#f5F90%BK@88E9q_M3QNMnM
z8Gx<}1@Hd3%xsMc_t8oPk1W2(&@YK~$9{CvcLMrL&oJ0euyZl%E<g2RpZ->XUES{e
z50-X!djDzug5$qh7`UK@5YXKxVK|>3;?FQ<i%;q~=TNH5C#DDZBI4HL%MP*!s6~3q
z>nYnH7f{{P#M1*~o5hs<Ya3c3H7m1WiUE8CzwD(9E<1?QNj4{CZ~VEc9zN;k<i#OI
zhoC{1R~eVwBeRT$GsHZ@EFok={Cx!+oXU3uV7KBFY?@|_FQLXX*_+3I*NPW)?YSR)
zK|h%I8^s_lL)%e5TvheM_tXaH9l<qCIhFpr&5r>>#ryjIK4&W9A2g+psf9gVcNnB&
zjbm@cwQ>NkdmYl%^;s?yLCLbsc9kr1{a3CWg|oaXj9-jT8{WCPd`~lPYxYKR@vsSj
zz%w{Kk_U^<OAoXUNvmhzBA;Ys_#Rh{f@97F#{9ngfVi(L(8P%D`qKT99V$6+*%|C4
zhP##dwyW*W?RiIOt;+ZP;0ndrLf3rb>t%^mzV2rQ@fH2UDaJc&Ay^*eSoO7>>xxm|
z<<jMHBppaiJ6w=ml+=C+e=`X$;1K!R%@HYKe4D>U>pR*e<>hNz?S`|%7;cq)s@jCo
zK-(#r1M~~XpL^tvY0)I-xbeMrKrwGw*ib06t%E=HE<N?wD9?2k&5JO6yt@hkmZtUf
zVUEdmt5MwwU_WMS|I`cVfs(A=b>$tFKu8OaN-YkEdh0rsCycsE6DZ&)nV8j@8h^T=
zHhaYc<hgLmPJz|GNF<TT4ySu;$tX8&iW%)!|L8HM70Gdd-}7)WtOG;$EQ>a25Iek7
zqv7gqM)_HGl5+A4qePjqUbS=^%tM9REB=P57@#5&r{{up@$ZJ!j>40Bctjb!B8$X0
zXyN|8JQa;xI-XuGm36#dz1FeV;*}qQtKh+JBf?vi7W01kmd#OH^tG61b|tF^dIgtE
zd#@~oi&0c=?%Mz$`A)aUiT|3Fqh+C|qNPv`;syXKv0Y3cZDcs7**5^46~@DPrdrK|
z3Z<dxd-FZfzf?u;*QL^=of+2ER!zC`={;_hBfOE>hvJ1&H1QnMH&s0Eu9D`ZrCQ;~
zas7<jL-0z*D52)WIpN~ZXO*oR&bnY6j&7ZUr)^Gq^3`eA`6^dZ1`3T$mc)xA{*-5!
z!)AaYrQ!D@r<BA4A6%xDP0DyMQHJb1{O$d$4)(y`;ZvCDd~yP|Q=%R#<KPfn=T(xX
zNs`8HlBQ9jw~8Fg#-z{GZ^QU5E{#2$eh9AFZowqM|1o6}mzL{9Ja+1K3<O7!n)leu
z!_;1wEx9E^@(g1h#7^j_!1W#J7tsYg*QSTy?R?vzn7_db7zm+v?|+?L_flk4mrBtb
zwTD4M?hZHYls`JCd#`pIf{HgUHZ%QMcQAP@R>g%;PDvpsxPM^^N?^`^nU5y(R?pH6
zNp`r;y6zF-;B9}f#^Jo!kj_UdYbXyf_PC|sx1K|O7U}Pu_^?&kv(GRU$)G=!xzX==
G<-Y+*!8io~

literal 0
HcmV?d00001

diff --git a/labs/submission1.md b/labs/submission1.md
new file mode 100644
index 00000000..d65295db
--- /dev/null
+++ b/labs/submission1.md
@@ -0,0 +1,183 @@
+# Lab 1 — OWASP Juice Shop & PR Workflow
+
+## Task 1 — Triage Report — OWASP Juice Shop
+
+# Triage Report — OWASP Juice Shop
+
+## Scope & Asset
+- Asset: OWASP Juice Shop (local lab instance)
+- Image: bkimminich/juice-shop:v19.0.0
+- Release link/date: https://github.com/juice-shop/juice-shop/releases/tag/v19.0.0 — September 2024
+- Image digest (optional): *(not collected)*
+
+---
+
+## Environment
+- Host OS: Ubuntu Linux (VirtualBox VM, user: vboxuser, host: amirLinux)
+- Docker version: 28.2.2
+
+---
+
+## Deployment Details
+
+Run command used:
+
+```bash
+docker run -d --name juice-shop \
+  -p 127.0.0.1:3000:3000 \
+  bkimminich/juice-shop:v19.0.0
+```
+
+Access URL: http://127.0.0.1:3000
+
+Network exposure: 127.0.0.1 only — [x] Yes [ ] No
+
+Because the container port is bound explicitly to localhost
+
+## Health Check
+
+1. UI Check
+
+Navigated to http://127.0.0.1:3000
+
+The OWASP Juice Shop UI loaded successfully
+
+Screenshot: labs/img/juice-home.jpg
+
+2. API Check
+
+Command executed:  
+```bash
+curl -s http://127.0.0.1:3000/rest/products | head
+```
+
+Output:  
+```html
+<html>
+  <head>
+    <meta charset='utf-8'>
+    <title>Error: Unexpected path: /rest/products</title>
+  </head>
+  <body>
+    ...
+  </body>
+</html>
+```
+
+This confirms that:
+
+the backend is reachable,
+
+the request hits the application,
+
+but this specific version/route returns a generic error handler page — acceptable for triage documentation
+
+
+## Surface Snapshot (Triage)
+
+Login/Registration visible:  Yes
+Notes: Login and Register shown in the top menu.
+
+Product listing/search present:  Yes
+Notes: Main page includes product cards + search bar.
+
+Admin/account area discoverable: Yes
+Notes: Account menu and admin panel options visible in UI.
+
+Client-side console errors: No
+Notes: No JS errors in browser DevTools.
+
+Security headers (quick look):  
+```bash 
+curl -I http://127.0.0.1:3000
+```
+
+Notes:
+Headers are minimal and lack CSP/HSTS/X-Frame-Options.
+Expected for a deliberately insecure training application, but would be a serious issue in production
+
+## Risks Observed (Top 3)
+
+1. Verbose stack traces exposed to users.
+/rest/products returns HTML containing internal error messages and detailed stack traces — dangerous information disclosure in real environments.
+
+2. Application could be accidentally exposed publicly.
+If binded to 0.0.0.0 or deployed to a VPS, attackers could exploit Juice Shop’s intentional vulnerabilities.
+
+3. Large attack surface (auth, search, basket, admin).
+Many user input points → higher risk of XSS, SQLi, IDOR, and broken authentication if this were a real e-commerce system
+
+## Task 2 - PR Template Setup & Verification
+
+PR Template Creation
+
+A pull request template was added at:  
+```bash
+.github/pull_request_template.md
+```
+
+Template includes:
+
+Sections: Goal, Changes, Testing, Artifacts & Screenshots
+
+Checklist:
+
+ PR title is clear and descriptive
+
+ Documentation updated if needed
+
+ No secrets, temporary files, or large binaries included
+
+This ensures consistent structure and quality across all lab submissions 
+
+Template Application Verification
+
+Steps performed:
+
+1. Created a new branch:  
+```bash
+git checkout -b feature/lab1
+```
+
+2. Added the submission file and screenshot:  
+```bash
+git add labs/submission1.md labs/img/juice-home.png
+git commit -m "docs(lab1): add submission1 report"
+git push -u origin feature/lab1
+```
+
+3. Opened a pull request inside my fork (feature/lab1 → main)
+
+4. GitHub automatically applied the PR template:
+
+* Goal
+
+* Changes
+
+* Testing
+
+* Artifacts & Screenshots
+
+* 3-step Checklist
+
+5. Filled in the template with deployment/testing details 
+
+How Templates Improve Collaboration
+
+Ensures every PR has a clear purpose and structure
+
+Reduces review time for instructors
+
+Prevents mistakes (missing docs, secrets, temp files)
+
+Standardizes workflow for all future labs
+
+
+## Challenges & Solutions
+
+API endpoint returned HTML instead of JSON.
+Resolved by analyzing server logs, confirming the backend is up,
+and documenting the behaviour properly in the triage report.
+
+PR template not loading at first.
+Fixed by committing the template on the main branch of my fork — required by GitHub

From 5224b9fdcb07417529f7ecb44602cfb11a827748 Mon Sep 17 00:00:00 2001
From: fayz131 <a.fayzullin@innopolis.university>
Date: Mon, 23 Mar 2026 15:45:51 +0300
Subject: [PATCH 3/4] docs(lab7): add snyk comparison results

---
 labs/lab7/scanning/snyk-results.txt | 255 ++++++++++++++++++++++++
 labs/submission7.md                 | 297 ++++++++++++++++++++++++++++
 2 files changed, 552 insertions(+)
 create mode 100644 labs/lab7/scanning/snyk-results.txt
 create mode 100644 labs/submission7.md

diff --git a/labs/lab7/scanning/snyk-results.txt b/labs/lab7/scanning/snyk-results.txt
new file mode 100644
index 00000000..4513f014
--- /dev/null
+++ b/labs/lab7/scanning/snyk-results.txt
@@ -0,0 +1,255 @@
+
+Testing bkimminich/juice-shop:v19.0.0...
+
+✗ High severity vulnerability found in openssl/libssl3
+  Description: CVE-2025-69421
+  Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-15123192
+  Introduced through: openssl/libssl3@3.0.17-1~deb12u2
+  From: openssl/libssl3@3.0.17-1~deb12u2
+  Fixed in: 3.0.18-1~deb12u2
+
+------------ Detected 5 vulnerabilities for node@22.18.0 ------------ 
+
+
+✗ High severity vulnerability found in node
+  Description: UNIX Symbolic Link (Symlink) Following
+  Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14928586
+  Introduced through: node@22.18.0
+  From: node@22.18.0
+  Fixed in: 22.22.0
+
+✗ High severity vulnerability found in node
+  Description: Uncaught Exception
+  Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14929624
+  Introduced through: node@22.18.0
+  From: node@22.18.0
+  Fixed in: 22.22.0
+
+✗ High severity vulnerability found in node
+  Description: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
+  Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14975915
+  Introduced through: node@22.18.0
+  From: node@22.18.0
+  Fixed in: 22.22.0
+
+✗ High severity vulnerability found in node
+  Description: Uncaught Exception
+  Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14982196
+  Introduced through: node@22.18.0
+  From: node@22.18.0
+  Fixed in: 22.22.0
+
+✗ Critical severity vulnerability found in node
+  Description: Race Condition
+  Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14928492
+  Introduced through: node@22.18.0
+  From: node@22.18.0
+  Fixed in: 22.22.0
+
+Organization:      fayz131
+Package manager:   deb
+Project name:      docker-image|bkimminich/juice-shop
+Docker image:      bkimminich/juice-shop:v19.0.0
+Platform:          linux/amd64
+Target OS:         Distroless
+Licenses:          enabled
+
+Tested 10 dependencies for known issues, found 6 issues.
+
+-------------------------------------------------------
+
+Testing bkimminich/juice-shop:v19.0.0...
+
+Tested 975 dependencies for known issues, found 47 issues.
+
+
+Issues to fix by upgrading:
+
+  Upgrade body-parser@1.20.3 to body-parser@1.20.4 to fix
+  ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-14724253] in qs@6.13.0
+    introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s)
+  ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-15268416] in qs@6.13.0
+    introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s)
+
+  Upgrade check-dependencies@1.1.1 to check-dependencies@2.0.0 to fix
+  ✗ Excessive Platform Resource Consumption within a Loop [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727] in braces@2.3.2
+    introduced by check-dependencies@1.1.1 > findup-sync@2.0.0 > micromatch@3.1.10 > braces@2.3.2
+  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@1.0.0
+    introduced by check-dependencies@1.1.1 > findup-sync@2.0.0 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0 and 4 other path(s)
+
+  Upgrade express@4.21.2 to express@4.22.0 to fix
+  ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-14724253] in qs@6.13.0
+    introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s)
+  ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-15268416] in qs@6.13.0
+    introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s)
+
+  Upgrade express-ipfilter@1.3.2 to express-ipfilter@1.4.0 to fix
+  ✗ Server-side Request Forgery (SSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-IP-12704893] in ip@2.0.1
+    introduced by express-ipfilter@1.3.2 > ip@2.0.1
+  ✗ Server-side Request Forgery (SSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-IP-12761655] in ip@2.0.1
+    introduced by express-ipfilter@1.3.2 > ip@2.0.1
+
+  Upgrade express-jwt@0.1.3 to express-jwt@6.0.0 to fix
+  ✗ Authorization Bypass [High Severity][https://security.snyk.io/vuln/SNYK-JS-EXPRESSJWT-575022] in express-jwt@0.1.3
+    introduced by express-jwt@0.1.3
+  ✗ Improper Verification of Cryptographic Signature [High Severity][https://security.snyk.io/vuln/SNYK-JS-JWS-14188253] in jws@0.2.6
+    introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s)
+  ✗ Forgeable Public/Private Tokens [High Severity][https://security.snyk.io/vuln/npm:jws:20160726] in jws@0.2.6
+    introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s)
+  ✗ Directory Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JS-MOMENT-2440688] in moment@2.0.0
+    introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 > moment@2.0.0
+  ✗ Uninitialized Memory Exposure [High Severity][https://security.snyk.io/vuln/npm:base64url:20180511] in base64url@0.0.6
+    introduced by jsonwebtoken@0.4.0 > jws@0.2.6 > base64url@0.0.6 and 3 other path(s)
+  ✗ Authentication Bypass [High Severity][https://security.snyk.io/vuln/npm:jsonwebtoken:20150331] in jsonwebtoken@0.1.0
+    introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 and 1 other path(s)
+
+  Upgrade glob@10.4.5 to glob@12.0.0 to fix
+  ✗ Command Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-GLOB-14040952] in glob@10.4.5
+    introduced by glob@10.4.5 and 1 other path(s)
+  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+  ✗ Regular Expression Denial of Service (ReDoS) (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353387] in minimatch@9.0.5
+    introduced by glob@10.4.5 > minimatch@9.0.5 and 1 other path(s)
+  ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+
+  Upgrade grunt-contrib-compress@1.6.0 to grunt-contrib-compress@2.0.0 to fix
+  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+  ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+
+  Upgrade jsonwebtoken@0.4.0 to jsonwebtoken@5.0.0 to fix
+  ✗ Improper Verification of Cryptographic Signature [High Severity][https://security.snyk.io/vuln/SNYK-JS-JWS-14188253] in jws@0.2.6
+    introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s)
+  ✗ Forgeable Public/Private Tokens [High Severity][https://security.snyk.io/vuln/npm:jws:20160726] in jws@0.2.6
+    introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s)
+  ✗ Uninitialized Memory Exposure [High Severity][https://security.snyk.io/vuln/npm:base64url:20180511] in base64url@0.0.6
+    introduced by jsonwebtoken@0.4.0 > jws@0.2.6 > base64url@0.0.6 and 3 other path(s)
+  ✗ Authentication Bypass [High Severity][https://security.snyk.io/vuln/npm:jsonwebtoken:20150331] in jsonwebtoken@0.1.0
+    introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 and 1 other path(s)
+
+  Upgrade multer@1.4.5-lts.2 to multer@2.1.1 to fix
+  ✗ Uncontrolled Recursion (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15417528] in multer@1.4.5-lts.2
+    introduced by multer@1.4.5-lts.2
+  ✗ Missing Release of Resource after Effective Lifetime (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15365916] in multer@1.4.5-lts.2
+    introduced by multer@1.4.5-lts.2
+  ✗ Incomplete Cleanup (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15365918] in multer@1.4.5-lts.2
+    introduced by multer@1.4.5-lts.2
+  ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10773732] in multer@1.4.5-lts.2
+    introduced by multer@1.4.5-lts.2
+  ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10185673] in multer@1.4.5-lts.2
+    introduced by multer@1.4.5-lts.2
+  ✗ Missing Release of Memory after Effective Lifetime [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10185675] in multer@1.4.5-lts.2
+    introduced by multer@1.4.5-lts.2
+  ✗ Uncaught Exception [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10299078] in multer@1.4.5-lts.2
+    introduced by multer@1.4.5-lts.2
+
+  Upgrade node-pre-gyp@0.15.0 to node-pre-gyp@0.17.0 to fix
+  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+  ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+
+  Upgrade pdfkit@0.11.0 to pdfkit@0.12.2 to fix
+  ✗ Use of Weak Hash [High Severity][https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-6028119] in crypto-js@3.3.0
+    introduced by pdfkit@0.11.0 > crypto-js@3.3.0
+
+  Upgrade sanitize-html@1.4.2 to sanitize-html@1.7.1 to fix
+  ✗ Code Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-1040724] in lodash@2.4.2
+    introduced by sanitize-html@1.4.2 > lodash@2.4.2
+  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-450202] in lodash@2.4.2
+    introduced by sanitize-html@1.4.2 > lodash@2.4.2
+  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-608086] in lodash@2.4.2
+    introduced by sanitize-html@1.4.2 > lodash@2.4.2
+  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-6139239] in lodash@2.4.2
+    introduced by sanitize-html@1.4.2 > lodash@2.4.2
+  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-73638] in lodash@2.4.2
+    introduced by sanitize-html@1.4.2 > lodash@2.4.2
+
+  Upgrade sequelize@6.37.7 to sequelize@6.37.8 to fix
+  ✗ SQL Injection (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-15456219] in sequelize@6.37.7
+    introduced by sequelize@6.37.7
+
+  Upgrade socket.io@3.1.2 to socket.io@4.7.0 to fix
+  ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-WS-7266574] in ws@7.4.6
+    introduced by socket.io@3.1.2 > engine.io@4.1.2 > ws@7.4.6
+  ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIO-7278048] in socket.io@3.1.2
+    introduced by socket.io@3.1.2
+  ✗ Allocation of Resources Without Limits or Throttling (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-15680278] in socket.io-parser@4.0.5
+    introduced by socket.io@3.1.2 > socket.io-parser@4.0.5
+  ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-5596892] in socket.io-parser@4.0.5
+    introduced by socket.io@3.1.2 > socket.io-parser@4.0.5
+  ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ENGINEIO-3136336] in engine.io@4.1.2
+    introduced by socket.io@3.1.2 > engine.io@4.1.2
+
+  Upgrade sqlite3@5.1.7 to sqlite3@6.0.1 to fix
+  ✗ Directory Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15307072] in tar@7.4.3
+    introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s)
+  ✗ Symlink Attack (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15416075] in tar@7.4.3
+    introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s)
+  ✗ Symlink Attack (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15456201] in tar@7.4.3
+    introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s)
+
+  Upgrade unzipper@0.9.15 to unzipper@0.12.1 to fix
+  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+  ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+
+
+Issues with no direct upgrade or patch:
+  ✗ Type Confusion [High Severity][https://security.snyk.io/vuln/SNYK-JS-LIBXMLJS2-6808810] in libxmljs2@0.37.0
+    introduced by libxmljs2@0.37.0
+  No upgrade or patch available
+  ✗ Type Confusion [High Severity][https://security.snyk.io/vuln/SNYK-JS-LIBXMLJS2-6808816] in libxmljs2@0.37.0
+    introduced by libxmljs2@0.37.0
+  No upgrade or patch available
+  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032] in lodash.set@4.3.2
+    introduced by grunt-replace-json@0.1.0 > lodash.set@4.3.2
+  No upgrade or patch available
+  ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-MARSDB-480405] in marsdb@0.6.11
+    introduced by marsdb@0.6.11
+  No upgrade or patch available
+  ✗ Incomplete Filtering of One or More Instances of Special Elements [High Severity][https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476] in validator@13.15.15
+    introduced by sequelize@6.37.7 > validator@13.15.15
+  This issue was fixed in versions: 13.15.22
+  ✗ Improper Control of Dynamically-Managed Code Resources [High Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-15116160] in vm2@3.9.17
+    introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17
+  This issue was fixed in versions: 3.10.2
+  ✗ Sandbox Bypass [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5537100] in vm2@3.9.17
+    introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17
+  This issue was fixed in versions: 3.9.18
+  ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5772823] in vm2@3.9.17
+    introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17
+  This issue was fixed in versions: 3.10.0
+  ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5772825] in vm2@3.9.17
+    introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17
+  This issue was fixed in versions: 3.10.0
+
+
+
+Organization:      fayz131
+Package manager:   npm
+Target file:       /juice-shop/package.json
+Project name:      juice-shop
+Docker image:      bkimminich/juice-shop:v19.0.0
+Licenses:          enabled
+
+
+Tested 2 projects, 2 contained vulnerable paths.
+
+
+
+
+ ERROR   Forbidden (SNYK-CLI-0000)
+         The encountered error only provides basic information, please take a look at   
+         the given details. If they do not help to resolve the issue, consider          
+         debugging or consulting support.                                               
+                                                                                        
+           Forbidden                                                                    
+
+Status:  403 Forbidden 
+Docs:    https://docs.snyk.io/scan-with-snyk/error-catalog#snyk-cli-0000 
+                                                                         
+ID:      urn:snyk:interaction:bdc237b1-e84a-4bc9-82ae-d9be72047c61 
diff --git a/labs/submission7.md b/labs/submission7.md
new file mode 100644
index 00000000..25bded91
--- /dev/null
+++ b/labs/submission7.md
@@ -0,0 +1,297 @@
+# Lab 7 — Container Security: Image Scanning & Deployment Hardening
+
+## Target Application
+
+- Image: `bkimminich/juice-shop:v19.0.0`
+
+---
+
+## Task 1 — Image Vulnerability & Configuration Analysis
+
+### Docker Scout Vulnerability Analysis
+
+Docker Scout was used to scan the OWASP Juice Shop container image for known package vulnerabilities.
+
+Scan summary:
+- Critical: **11**
+- High: **65**
+- Medium: **30**
+- Low: **5**
+- Unspecified: **7**
+
+The scan detected **48 vulnerable packages** with a total of **118 vulnerabilities**. This indicates a significant supply-chain risk due to outdated and vulnerable dependencies inside the image.
+
+### Top 5 Critical/High Vulnerabilities
+
+| CVE | Package | Severity | Impact |
+|-----|---------|----------|--------|
+| CVE-2026-22709 | `vm2` 3.9.17 | Critical | Protection mechanism failure with very high impact; may enable sandbox escape / remote code execution scenarios |
+| CVE-2023-37903 | `vm2` 3.9.17 | Critical | OS command injection vulnerability |
+| CVE-2023-37466 | `vm2` 3.9.17 | Critical | Code injection vulnerability |
+| CVE-2025-55130 | `node` 22.18.0 | Critical | Vulnerable Node.js runtime affecting the application platform itself |
+| CVE-2019-10744 | `lodash` 2.4.2 | Critical | Prototype pollution vulnerability that can impact application integrity |
+
+Additional notable high-risk packages included:
+- `tar`
+- `multer`
+- `jsonwebtoken`
+- `crypto-js`
+- `sequelize`
+- `ip`
+
+### Snyk Comparison
+
+Snyk was used as an additional scanner to compare results with Docker Scout.  
+It identified multiple high and critical vulnerabilities in both OS-level and npm dependencies, including issues in `node`, `vm2`, `multer`, `sequelize`, and `express-jwt`.
+
+Snyk also provided actionable remediation suggestions, such as upgrading:
+- `node` to `22.22.0`
+- `multer` to `2.1.1`
+- `sequelize` to `6.37.8`
+- `express-jwt` to `6.0.0`
+
+In general:
+- **Docker Scout** is strongly integrated into Docker workflows and is convenient for image and SBOM-oriented vulnerability analysis.
+- **Snyk** is useful for broader security platform workflows and policy-driven reporting.
+- Both tools are valuable, but Docker Scout already provided enough detailed CVE evidence for this lab.
+
+### Dockle Configuration Findings
+
+Dockle did not report any **FATAL** or **WARN** findings for this image, but it reported several informational issues:
+
+- Docker content trust is not enabled
+- No `HEALTHCHECK` instruction is present
+- Unnecessary files exist in the image (for example `.DS_Store` files)
+
+These findings still matter because:
+- missing **HEALTHCHECK** reduces runtime observability and recovery quality
+- missing **content trust** weakens supply-chain assurance
+- unnecessary files increase image noise and slightly increase attack surface / maintenance burden
+
+### Security Posture Assessment
+
+The image has a weak security posture from a vulnerability management perspective because it includes many outdated and vulnerable packages.
+
+Assessment:
+- The image contains numerous critical/high vulnerabilities
+- Dockle did not flag major runtime misconfigurations, but best practices are still missing
+- The image would benefit from dependency cleanup and stronger image hardening
+
+Recommended improvements:
+- update vulnerable npm and runtime dependencies
+- rebuild the image regularly with patched base/runtime layers
+- add a `HEALTHCHECK`
+- enable content trust / signed image workflows
+- remove unnecessary files from build output
+- run the container as a non-root user if possible
+- minimize package footprint and attack surface
+
+---
+
+## Task 2 — Docker Host Security Benchmarking
+
+### CIS Docker Benchmark Summary
+
+Docker Bench Security results:
+
+- PASS: **40**
+- WARN: **82**
+- FAIL: **0**
+- INFO: **88**
+
+The benchmark completed successfully. No direct `FAIL` findings were reported, but the large number of `WARN` entries shows that the Docker host and running environment still have many hardening gaps.
+
+### Analysis of Warnings
+
+Key warning areas included:
+
+- no separate partition for containers
+- auditing not configured for Docker daemon/files
+- network traffic on the default bridge not sufficiently restricted
+- user namespace support not enabled
+- authorization for Docker client commands not enabled
+- centralized/remote logging not configured
+- live restore not enabled
+- userland proxy not disabled
+- containers not restricted from acquiring new privileges
+- Docker socket ownership issue
+- many images missing `HEALTHCHECK`
+- some containers running without CPU restrictions
+- some containers using writable root filesystems
+- wildcard host bindings (`0.0.0.0`)
+- no PID limits on several containers
+- Docker socket mounted into at least one container
+
+### Security Impact
+
+These warnings matter because they increase the blast radius of compromise and weaken defense in depth. For example:
+
+- missing auditing reduces incident visibility
+- lack of user namespaces weakens isolation
+- unrestricted host bindings expose services too broadly
+- writable root filesystems help persistence after compromise
+- missing PID / CPU limits increases denial-of-service risk
+- mounting the Docker socket can enable container breakout or host control
+
+### Recommended Remediation Steps
+
+Recommended remediations:
+- configure auditing for Docker daemon and critical Docker paths
+- enable user namespace remapping
+- restrict bridge/container networking more tightly
+- enable centralized logging
+- enable content trust and healthchecks where possible
+- use `no-new-privileges`
+- apply CPU, memory, and PID limits consistently
+- avoid mounting Docker socket into containers
+- bind services to specific interfaces instead of `0.0.0.0`
+- consider read-only root filesystems for suitable containers
+
+---
+
+## Task 3 — Deployment Security Configuration Analysis
+
+### Functionality Results
+
+All three profiles were tested for availability:
+
+- Default: **HTTP 200**
+- Hardened: **HTTP 200**
+- Production: **HTTP 200**
+
+This shows that the hardened runtime settings did not break the application in this environment.
+
+### Resource Usage Summary
+
+Observed memory usage:
+
+- Default: **99.86 MiB / 5.786 GiB**
+- Hardened: **92.77 MiB / 512 MiB**
+- Production: **91.29 MiB / 512 MiB**
+
+The hardened and production profiles successfully enforced memory limits, while the default profile used the host default limit.
+
+### Configuration Comparison Table
+
+| Profile | Capabilities | Security Options | Memory | CPU | PIDs | Restart Policy |
+|--------|--------------|------------------|--------|-----|------|----------------|
+| Default | Docker defaults | none | unlimited / host default | none | none | no |
+| Hardened | `--cap-drop=ALL` | `no-new-privileges` | 512 MiB | set via `--cpus=1.0` | none | no |
+| Production | `--cap-drop=ALL`, `--cap-add=NET_BIND_SERVICE` | `no-new-privileges` | 512 MiB | set via `--cpus=1.0` | 100 | `on-failure` |
+
+### Security Measure Analysis
+
+#### a) `--cap-drop=ALL` and `--cap-add=NET_BIND_SERVICE`
+
+Linux capabilities split root privileges into smaller privilege units.  
+Dropping all capabilities removes a large set of privileged operations that a compromised process could otherwise abuse.
+
+Security benefit:
+- reduces privilege escalation opportunities
+- limits post-exploitation actions
+- follows least-privilege design
+
+`NET_BIND_SERVICE` is added back only when low-port binding is needed. This is a much safer model than keeping default capabilities.
+
+#### b) `--security-opt=no-new-privileges`
+
+This prevents processes from gaining additional privileges after container start, for example through setuid/setgid binaries.
+
+Security benefit:
+- helps stop privilege escalation inside the container
+- limits abuse after code execution compromise
+
+Downside:
+- some applications that rely on privilege transitions may not work correctly
+
+#### c) `--memory=512m` and `--cpus=1.0`
+
+Without limits, a container can consume excessive host resources and affect availability of other workloads.
+
+Security benefit:
+- reduces denial-of-service impact
+- contains runaway memory/CPU consumption
+- protects multi-container hosts from noisy-neighbor effects
+
+Risk if limits are too low:
+- application instability
+- restarts
+- degraded performance
+
+#### d) `--pids-limit=100`
+
+A fork bomb is an attack or failure mode where processes recursively create more processes until the system becomes unusable.
+
+Security benefit:
+- limits process explosion
+- reduces host resource exhaustion risk
+
+The correct PID limit depends on the application’s process model and expected concurrency.
+
+#### e) `--restart=on-failure:3`
+
+This restart policy restarts the container only after failure, and only up to a limited number of times.
+
+Security benefit:
+- improves resilience during transient failures
+- avoids endless restart loops better than `always`
+
+Comparison:
+- `on-failure` is safer for crash analysis and controlled recovery
+- `always` may hide recurring faults and create restart loops
+
+### Critical Thinking
+
+**Which profile is best for development? Why?**  
+The **default** or **hardened** profile is more suitable for development. Default is easiest for debugging, while hardened adds useful protections without too much operational complexity. In practice, hardened is the better security-aware development baseline.
+
+**Which profile is best for production? Why?**  
+The **production** profile is the best choice because it applies least privilege, memory limits, PID limits, and restart control. It provides stronger containment if the application is exploited.
+
+**What real-world problem do resource limits solve?**  
+They reduce the impact of denial-of-service conditions, runaway processes, memory exhaustion, and unfair resource consumption on shared hosts.
+
+**If an attacker exploits Default vs Production, what actions are blocked in Production?**  
+Production better restricts:
+- privilege-related operations due to dropped capabilities
+- privilege escalation due to `no-new-privileges`
+- process explosion due to PID limit
+- resource abuse due to memory/CPU constraints
+- uncontrolled restart behavior due to limited restart policy
+
+**What additional hardening would you add?**  
+Additional recommended hardening:
+- run as non-root
+- use read-only root filesystem where possible
+- add explicit seccomp profile support
+- restrict networking further
+- add healthchecks
+- use signed images / attestations
+- reduce package footprint
+- mount only required volumes with minimal permissions
+
+### Note on seccomp
+
+The intended production profile originally included an explicit `seccomp=default` setting. In this environment, Docker rejected that literal option and treated it as a missing file path. To complete the deployment comparison successfully, the production profile was re-run without the explicit seccomp flag.
+
+The recommendation remains the same: in a real production environment, Docker’s default seccomp profile or a custom hardened seccomp profile should be enabled.
+
+---
+
+## Conclusion
+
+This lab showed that container security depends on both **image security** and **runtime hardening**.
+
+Key conclusions:
+- the Juice Shop image contains a large number of critical/high vulnerabilities
+- Docker Bench revealed many host/container hardening warnings even without direct FAIL findings
+- runtime hardening flags significantly improve containment without breaking application functionality
+- the production-style profile offers the best balance for real deployment security
+
+A secure container deployment should combine:
+- regular vulnerability scanning
+- host hardening
+- strict runtime controls
+- least privilege
+- resource limits
+- secure supply-chain practices

From e087e3d7f9618526f7711f70bfcb59557922f603 Mon Sep 17 00:00:00 2001
From: fayz131 <a.fayzullin@innopolis.university>
Date: Mon, 23 Mar 2026 15:50:49 +0300
Subject: [PATCH 4/4] docs(lab7): add container security analysis and scanning
 results

---
 labs/lab7/analysis/deployment-comparison.txt |   39 +
 labs/lab7/analysis/docker-bench-summary.txt  |    5 +
 labs/lab7/hardening/docker-bench-results.txt |  245 +++++
 labs/lab7/scanning/dockle-results.txt        |    9 +
 labs/lab7/scanning/scout-cves.txt            | 1032 ++++++++++++++++++
 5 files changed, 1330 insertions(+)
 create mode 100644 labs/lab7/analysis/deployment-comparison.txt
 create mode 100644 labs/lab7/analysis/docker-bench-summary.txt
 create mode 100644 labs/lab7/hardening/docker-bench-results.txt
 create mode 100644 labs/lab7/scanning/dockle-results.txt
 create mode 100644 labs/lab7/scanning/scout-cves.txt

diff --git a/labs/lab7/analysis/deployment-comparison.txt b/labs/lab7/analysis/deployment-comparison.txt
new file mode 100644
index 00000000..418e5b20
--- /dev/null
+++ b/labs/lab7/analysis/deployment-comparison.txt
@@ -0,0 +1,39 @@
+=== Functionality Test ===
+Default: HTTP 200
+Hardened: HTTP 200
+Production: HTTP 200
+
+=== Resource Usage ===
+NAME               CPU %     MEM USAGE / LIMIT     MEM %
+juice-default      0.74%     99.86MiB / 5.786GiB   1.69%
+juice-hardened     0.54%     92.77MiB / 512MiB     18.12%
+juice-production   0.64%     91.29MiB / 512MiB     17.83%
+
+=== Security Configurations ===
+
+Container: juice-default
+CapDrop: <no value>
+CapAdd: <no value>
+SecurityOpt: <no value>
+Memory: 0
+CPU: 0
+PIDs: <no value>
+Restart: no
+
+Container: juice-hardened
+CapDrop: [ALL]
+CapAdd: <no value>
+SecurityOpt: [no-new-privileges]
+Memory: 536870912
+CPU: 0
+PIDs: <no value>
+Restart: no
+
+Container: juice-production
+CapDrop: [ALL]
+CapAdd: [CAP_NET_BIND_SERVICE]
+SecurityOpt: [no-new-privileges]
+Memory: 536870912
+CPU: 0
+PIDs: 100
+Restart: on-failure
diff --git a/labs/lab7/analysis/docker-bench-summary.txt b/labs/lab7/analysis/docker-bench-summary.txt
new file mode 100644
index 00000000..a65f5035
--- /dev/null
+++ b/labs/lab7/analysis/docker-bench-summary.txt
@@ -0,0 +1,5 @@
+Docker Bench Summary
+PASS: 40
+WARN: 82
+FAIL: 0
+INFO: 88
diff --git a/labs/lab7/hardening/docker-bench-results.txt b/labs/lab7/hardening/docker-bench-results.txt
new file mode 100644
index 00000000..916f441c
--- /dev/null
+++ b/labs/lab7/hardening/docker-bench-results.txt
@@ -0,0 +1,245 @@
+# ------------------------------------------------------------------------------
+# Docker Bench for Security v1.3.4
+#
+# Docker, Inc. (c) 2015-
+#
+# Checks for dozens of common best-practices around deploying Docker containers in production.
+# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
+# ------------------------------------------------------------------------------
+
+Initializing Mon Mar 23 11:57:04 UTC 2026
+
+
+[INFO] 1 - Host Configuration
+[WARN] 1.1  - Ensure a separate partition for containers has been created
+[NOTE] 1.2  - Ensure the container host has been Hardened
+[PASS] 1.3  - Ensure Docker is up to date
+[INFO]      * Using 28.2.2 which is current
+[INFO]      * Check with your operating system vendor for support and security maintenance for Docker
+[INFO] 1.4  - Ensure only trusted users are allowed to control Docker daemon
+[INFO]      * docker:x:101
+[WARN] 1.5  - Ensure auditing is configured for the Docker daemon
+[WARN] 1.6  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
+[INFO] 1.7  - Ensure auditing is configured for Docker files and directories - /etc/docker
+[INFO]      * Directory not found
+[WARN] 1.8  - Ensure auditing is configured for Docker files and directories - docker.service
+[WARN] 1.9  - Ensure auditing is configured for Docker files and directories - docker.socket
+[INFO] 1.10  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
+[INFO]      * File not found
+[INFO] 1.11  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
+[INFO]      * File not found
+[INFO] 1.12  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd
+[INFO]      * File not found
+[INFO] 1.13  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc
+[INFO]      * File not found
+
+
+[INFO] 2 - Docker daemon configuration
+[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
+[PASS] 2.2  - Ensure the logging level is set to 'info'
+[PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
+[PASS] 2.4  - Ensure insecure registries are not used
+[PASS] 2.5  - Ensure aufs storage driver is not used
+[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
+[INFO]      * Docker daemon not listening on TCP
+[INFO] 2.7  - Ensure the default ulimit is configured appropriately
+[INFO]      * Default ulimit doesn't appear to be set
+[WARN] 2.8  - Enable user namespace support
+[PASS] 2.9  - Ensure the default cgroup usage has been confirmed
+[PASS] 2.10  - Ensure base device size is not changed until needed
+[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
+[WARN] 2.12  - Ensure centralized and remote logging is configured
+[INFO] 2.13  - Ensure operations on legacy registry (v1) are Disabled (Deprecated)
+[WARN] 2.14  - Ensure live restore is Enabled
+[WARN] 2.15  - Ensure Userland Proxy is Disabled
+[INFO] 2.16  - Ensure daemon-wide custom seccomp profile is applied, if needed
+[PASS] 2.17  - Ensure experimental features are avoided in production
+[WARN] 2.18  - Ensure containers are restricted from acquiring new privileges
+
+
+[INFO] 3 - Docker daemon configuration files
+[PASS] 3.1  - Ensure that docker.service file ownership is set to root:root
+[PASS] 3.2  - Ensure that docker.service file permissions are set to 644 or more restrictive
+[PASS] 3.3  - Ensure that docker.socket file ownership is set to root:root
+[PASS] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
+[INFO] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
+[INFO]      * Directory not found
+[INFO] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
+[INFO]      * Directory not found
+[INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
+[INFO]      * Directory not found
+[INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
+[INFO]      * Directory not found
+[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
+[INFO]      * No TLS CA certificate found
+[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
+[INFO]      * No TLS CA certificate found
+[INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
+[INFO]      * No TLS Server certificate found
+[INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
+[INFO]      * No TLS Server certificate found
+[INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
+[INFO]      * No TLS Key found
+[INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
+[INFO]      * No TLS Key found
+[WARN] 3.15  - Ensure that Docker socket file ownership is set to root:docker
+[WARN]      * Wrong ownership for /var/run/docker.sock
+[PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
+[INFO] 3.17  - Ensure that daemon.json file ownership is set to root:root
+[INFO]      * File not found
+[INFO] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
+[INFO]      * File not found
+[INFO] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
+[INFO]      * File not found
+[INFO] 3.20  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
+[INFO]      * File not found
+
+
+[INFO] 4 - Container Images and Build File
+[WARN] 4.1  - Ensure a user for the container has been created
+[WARN]      * Running as root: promtail
+[NOTE] 4.2  - Ensure that containers use trusted base images
+[NOTE] 4.3  - Ensure unnecessary packages are not installed in the container
+[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
+[WARN] 4.5  - Ensure Content trust for Docker is Enabled
+[WARN] 4.6  - Ensure HEALTHCHECK instructions have been added to the container image
+[WARN]      * No Healthcheck found: [fayzullin/devops-info-service:latest]
+[WARN]      * No Healthcheck found: [trufflesecurity/trufflehog:latest]
+[WARN]      * No Healthcheck found: [bridgecrew/checkov:latest]
+[WARN]      * No Healthcheck found: [python:3.12-slim]
+[WARN]      * No Healthcheck found: [checkmarx/kics:latest]
+[WARN]      * No Healthcheck found: [sh3b0/labenv:stable]
+[WARN]      * No Healthcheck found: [prom/prometheus:v3.9.0]
+[WARN]      * No Healthcheck found: [jlesage/firefox:v25.12.5]
+[WARN]      * No Healthcheck found: [grafana/grafana:12.3.1]
+[WARN]      * No Healthcheck found: [zricethezav/gitleaks:latest]
+[WARN]      * No Healthcheck found: [bkimminich/juice-shop:v19.0.0]
+[WARN]      * No Healthcheck found: [aquasec/tfsec:latest]
+[WARN]      * No Healthcheck found: [sh1co/wikifet:latest]
+[WARN]      * No Healthcheck found: [quay.io/keycloak/keycloak:26.0]
+[WARN]      * No Healthcheck found: [goodwithtech/dockle:latest]
+[WARN]      * No Healthcheck found: [tenable/terrascan:latest]
+[WARN]      * No Healthcheck found: [grafana/loki:3.0.0]
+[WARN]      * No Healthcheck found: [grafana/promtail:3.0.0]
+[INFO] 4.7  - Ensure update instructions are not use alone in the Dockerfile
+[INFO]      * Update instruction found: [fayzullin/devops-info-service:latest]
+[INFO]      * Update instruction found: [bridgecrew/checkov:latest]
+[INFO]      * Update instruction found: [python:3.12-slim]
+[INFO]      * Update instruction found: [checkmarx/kics:latest]
+[INFO]      * Update instruction found: [sh3b0/labenv:stable]
+[INFO]      * Update instruction found: [sh1co/wikifet:latest]
+[INFO]      * Update instruction found: [grafana/promtail:3.0.0]
+[NOTE] 4.8  - Ensure setuid and setgid permissions are removed in the images
+[INFO] 4.9  - Ensure COPY is used instead of ADD in Dockerfile
+[INFO]      * ADD in image history: [trufflesecurity/trufflehog:latest]
+[INFO]      * ADD in image history: [sh3b0/labenv:stable]
+[INFO]      * ADD in image history: [jlesage/firefox:v25.12.5]
+[INFO]      * ADD in image history: [grafana/grafana:12.3.1]
+[INFO]      * ADD in image history: [zricethezav/gitleaks:latest]
+[INFO]      * ADD in image history: [aquasec/tfsec:latest]
+[INFO]      * ADD in image history: [sh1co/wikifet:latest]
+[INFO]      * ADD in image history: [goodwithtech/dockle:latest]
+[INFO]      * ADD in image history: [grafana/loki:3.0.0]
+[INFO]      * ADD in image history: [grafana/promtail:3.0.0]
+[INFO]      * ADD in image history: [docker/docker-bench-security:latest]
+[NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
+[NOTE] 4.11  - Ensure verified packages are only Installed
+
+
+[INFO] 5 - Container Runtime
+[PASS] 5.1  - Ensure AppArmor Profile is Enabled
+[WARN] 5.2  - Ensure SELinux security options are set, if applicable
+[WARN]      * No SecurityOptions Found: grafana
+[WARN]      * No SecurityOptions Found: app-python
+[WARN]      * No SecurityOptions Found: promtail
+[WARN]      * No SecurityOptions Found: loki
+[WARN]      * No SecurityOptions Found: prometheus
+[PASS] 5.3  - Ensure Linux Kernel Capabilities are restricted within containers
+[PASS] 5.4  - Ensure privileged containers are not used
+[PASS] 5.5  - Ensure sensitive host system directories are not mounted on containers
+[PASS] 5.6  - Ensure ssh is not run within containers
+[PASS] 5.7  - Ensure privileged ports are not mapped within containers
+[NOTE] 5.8  - Ensure only needed ports are open on the container
+[PASS] 5.9  - Ensure the host's network namespace is not shared
+[PASS] 5.10  - Ensure memory usage for container is limited
+[WARN] 5.11  - Ensure CPU priority is set appropriately on the container
+[WARN]      * Container running without CPU restrictions: grafana
+[WARN]      * Container running without CPU restrictions: app-python
+[WARN]      * Container running without CPU restrictions: promtail
+[WARN]      * Container running without CPU restrictions: loki
+[WARN]      * Container running without CPU restrictions: prometheus
+[WARN] 5.12  - Ensure the container's root filesystem is mounted as read only
+[WARN]      * Container running with root FS mounted R/W: grafana
+[WARN]      * Container running with root FS mounted R/W: app-python
+[WARN]      * Container running with root FS mounted R/W: promtail
+[WARN]      * Container running with root FS mounted R/W: loki
+[WARN]      * Container running with root FS mounted R/W: prometheus
+[WARN] 5.13  - Ensure incoming container traffic is binded to a specific host interface
+[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in grafana
+[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in app-python
+[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in promtail
+[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in loki
+[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in prometheus
+[WARN] 5.14  - Ensure 'on-failure' container restart policy is set to '5'
+[WARN]      * MaximumRetryCount is not set to 5: grafana
+[WARN]      * MaximumRetryCount is not set to 5: app-python
+[WARN]      * MaximumRetryCount is not set to 5: promtail
+[WARN]      * MaximumRetryCount is not set to 5: loki
+[WARN]      * MaximumRetryCount is not set to 5: prometheus
+[PASS] 5.15  - Ensure the host's process namespace is not shared
+[PASS] 5.16  - Ensure the host's IPC namespace is not shared
+[PASS] 5.17  - Ensure host devices are not directly exposed to containers
+[INFO] 5.18  - Ensure the default ulimit is overwritten at runtime, only if needed
+[INFO]      * Container no default ulimit override: grafana
+[INFO]      * Container no default ulimit override: app-python
+[INFO]      * Container no default ulimit override: promtail
+[INFO]      * Container no default ulimit override: loki
+[INFO]      * Container no default ulimit override: prometheus
+[PASS] 5.19  - Ensure mount propagation mode is not set to shared
+[PASS] 5.20  - Ensure the host's UTS namespace is not shared
+[PASS] 5.21  - Ensure the default seccomp profile is not Disabled
+[NOTE] 5.22  - Ensure docker exec commands are not used with privileged option
+[NOTE] 5.23  - Ensure docker exec commands are not used with user option
+[PASS] 5.24  - Ensure cgroup usage is confirmed
+[WARN] 5.25  - Ensure the container is restricted from acquiring additional privileges
+[WARN]      * Privileges not restricted: grafana
+[WARN]      * Privileges not restricted: app-python
+[WARN]      * Privileges not restricted: promtail
+[WARN]      * Privileges not restricted: loki
+[WARN]      * Privileges not restricted: prometheus
+[WARN] 5.26  - Ensure container health is checked at runtime
+[WARN]      * Health check not set: promtail
+[INFO] 5.27  - Ensure docker commands always get the latest version of the image
+[WARN] 5.28  - Ensure PIDs cgroup limit is used
+[WARN]      * PIDs limit not set: grafana
+[WARN]      * PIDs limit not set: app-python
+[WARN]      * PIDs limit not set: promtail
+[WARN]      * PIDs limit not set: loki
+[WARN]      * PIDs limit not set: prometheus
+[PASS] 5.29  - Ensure Docker's default bridge docker0 is not used
+[PASS] 5.30  - Ensure the host's user namespaces is not shared
+[WARN] 5.31  - Ensure the Docker socket is not mounted inside any containers
+[WARN]      * Docker socket shared: promtail
+
+
+[INFO] 6 - Docker Security Operations
+[INFO] 6.1  - Avoid image sprawl
+[INFO]      * There are currently: 21 images
+[INFO] 6.2  - Avoid container sprawl
+[INFO]      * There are currently a total of 11 containers, with 6 of them currently running
+
+
+[INFO] 7 - Docker Swarm Configuration
+[PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed
+[PASS] 7.2  - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
+[PASS] 7.3  - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled)
+[PASS] 7.4  - Ensure data exchanged between containers are encrypted on different nodes on the overlay network
+[PASS] 7.5  - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled)
+[PASS] 7.6  - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled)
+[PASS] 7.7  - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
+[PASS] 7.8  - Ensure node certificates are rotated as appropriate (Swarm mode not enabled)
+[PASS] 7.9  - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled)
+[PASS] 7.10  - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled)
+
+[INFO] Checks: 105
+[INFO] Score: 13
diff --git a/labs/lab7/scanning/dockle-results.txt b/labs/lab7/scanning/dockle-results.txt
new file mode 100644
index 00000000..91b99573
--- /dev/null
+++ b/labs/lab7/scanning/dockle-results.txt
@@ -0,0 +1,9 @@
+SKIP	- DKL-LI-0001: Avoid empty password
+	* failed to detect etc/shadow,etc/master.passwd
+INFO	- CIS-DI-0005: Enable Content trust for Docker
+	* export DOCKER_CONTENT_TRUST=1 before docker pull/build
+INFO	- CIS-DI-0006: Add HEALTHCHECK instruction to the container image
+	* not found HEALTHCHECK statement
+INFO	- DKL-LI-0003: Only put necessary files
+	* unnecessary file : juice-shop/node_modules/extglob/lib/.DS_Store 
+	* unnecessary file : juice-shop/node_modules/micromatch/lib/.DS_Store 
diff --git a/labs/lab7/scanning/scout-cves.txt b/labs/lab7/scanning/scout-cves.txt
new file mode 100644
index 00000000..d548d9a4
--- /dev/null
+++ b/labs/lab7/scanning/scout-cves.txt
@@ -0,0 +1,1032 @@
+
+
+## Overview
+
+                   │              Analyzed Image              
+───────────────────┼──────────────────────────────────────────
+ Target            │  bkimminich/juice-shop:v19.0.0           
+   digest          │  37cc73163c4c                            
+   platform        │ linux/amd64                              
+   provenance      │ https://github.com/juice-shop/juice-shop 
+                   │  https://github.com/juice-shop/juice-shop/blob/36870cb                                 
+   vulnerabilities │   11C    65H    30M     5L     7?        
+   size            │ 172 MB                                   
+   packages        │ 1004                                     
+
+
+## Packages and Vulnerabilities
+
+   4C     0H     1M     0L  vm2 3.9.17
+pkg:npm/vm2@3.9.17
+
+    ✗ CRITICAL CVE-2026-22709 [Protection Mechanism Failure]
+      https://scout.docker.com/v/CVE-2026-22709?s=github&n=vm2&t=npm&vr=%3C%3D3.10.1
+      Affected range : <=3.10.1                                     
+      Fixed version  : 3.10.2                                       
+      CVSS Score     : 9.8                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 
+    
+    ✗ CRITICAL CVE-2023-37903 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')]
+      https://scout.docker.com/v/CVE-2023-37903?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19
+      Affected range : <=3.9.19                                     
+      Fixed version  : not fixed                                    
+      CVSS Score     : 9.8                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 
+    
+    ✗ CRITICAL CVE-2023-37466 [Improper Control of Generation of Code ('Code Injection')]
+      https://scout.docker.com/v/CVE-2023-37466?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19
+      Affected range : <=3.9.19                                     
+      Fixed version  : 3.10.0                                       
+      CVSS Score     : 9.8                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 
+    
+    ✗ CRITICAL CVE-2023-32314 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')]
+      https://scout.docker.com/v/CVE-2023-32314?s=github&n=vm2&t=npm&vr=%3C3.9.18
+      Affected range : <3.9.18                                      
+      Fixed version  : 3.9.18                                       
+      CVSS Score     : 9.8                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 
+    
+    ✗ MEDIUM CVE-2023-32313 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')]
+      https://scout.docker.com/v/CVE-2023-32313?s=github&n=vm2&t=npm&vr=%3C3.9.18
+      Affected range : <3.9.18                                      
+      Fixed version  : 3.9.18                                       
+      CVSS Score     : 5.3                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 
+    
+
+   1C     4H     1M     0L  node 22.18.0
+pkg:generic/node@22.18.0
+
+    ✗ CRITICAL CVE-2025-55130
+      https://scout.docker.com/v/CVE-2025-55130?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0
+      Affected range : >=22.0.0 
+                     : <22.22.0 
+      Fixed version  : 22.22.0  
+    
+    ✗ HIGH CVE-2026-21637
+      https://scout.docker.com/v/CVE-2026-21637?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0
+      Affected range : >=22.0.0 
+                     : <22.22.0 
+      Fixed version  : 22.22.0  
+    
+    ✗ HIGH CVE-2025-59466
+      https://scout.docker.com/v/CVE-2025-59466?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0
+      Affected range : >=22.0.0 
+                     : <22.22.0 
+      Fixed version  : 22.22.0  
+    
+    ✗ HIGH CVE-2025-59465
+      https://scout.docker.com/v/CVE-2025-59465?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0
+      Affected range : >=22.0.0 
+                     : <22.22.0 
+      Fixed version  : 22.22.0  
+    
+    ✗ HIGH CVE-2025-55131
+      https://scout.docker.com/v/CVE-2025-55131?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0
+      Affected range : >=22.0.0 
+                     : <22.22.0 
+      Fixed version  : 22.22.0  
+    
+    ✗ MEDIUM CVE-2025-55132
+      https://scout.docker.com/v/CVE-2025-55132?s=docker&n=node&t=generic&vr=%3E%3D22.0.0%2C%3C22.22.0
+      Affected range : >=22.0.0 
+                     : <22.22.0 
+      Fixed version  : 22.22.0  
+    
+
+   1C     3H     1M     0L     1?  lodash 2.4.2
+pkg:npm/lodash@2.4.2
+
+    ✗ CRITICAL CVE-2019-10744 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')]
+      https://scout.docker.com/v/CVE-2019-10744?s=github&n=lodash&t=npm&vr=%3C4.17.12
+      Affected range : <4.17.12                                     
+      Fixed version  : 4.17.12                                      
+      CVSS Score     : 9.1                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H 
+    
+    ✗ HIGH CVE-2020-8203 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
+      https://scout.docker.com/v/CVE-2020-8203?s=gitlab&n=lodash&t=npm&vr=%3C4.17.20
+      Affected range : <4.17.20                                     
+      Fixed version  : 4.17.20                                      
+      CVSS Score     : 7.4                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H 
+    
+    ✗ HIGH CVE-2021-23337 [Improper Neutralization of Special Elements used in a Command ('Command Injection')]
+      https://scout.docker.com/v/CVE-2021-23337?s=github&n=lodash&t=npm&vr=%3C4.17.21
+      Affected range : <4.17.21                                     
+      Fixed version  : 4.17.21                                      
+      CVSS Score     : 7.2                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 
+    
+    ✗ HIGH CVE-2018-16487 [Uncontrolled Resource Consumption]
+      https://scout.docker.com/v/CVE-2018-16487?s=github&n=lodash&t=npm&vr=%3C4.17.11
+      Affected range : <4.17.11 
+      Fixed version  : 4.17.11  
+    
+    ✗ MEDIUM CVE-2018-3721 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')]
+      https://scout.docker.com/v/CVE-2018-3721?s=github&n=lodash&t=npm&vr=%3C4.17.5
+      Affected range : <4.17.5                                      
+      Fixed version  : 4.17.5                                       
+      CVSS Score     : 6.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 
+    
+    ✗ UNSPECIFIED GMS-2018-10 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
+      https://scout.docker.com/v/GMS-2018-10?s=gitlab&n=lodash&t=npm&vr=%3C4.17.5
+      Affected range : <4.17.5 
+      Fixed version  : 4.17.5  
+    
+
+   1C     1H     2M     0L     1?  jsonwebtoken 0.1.0
+pkg:npm/jsonwebtoken@0.1.0
+
+    ✗ CRITICAL CVE-2015-9235 [Improper Input Validation]
+      https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2
+      Affected range : <4.2.2 
+      Fixed version  : 4.2.2  
+    
+    ✗ HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm]
+      https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1
+      Affected range : <=8.5.1                                      
+      Fixed version  : 9.0.0                                        
+      CVSS Score     : 8.1                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 
+    
+    ✗ MEDIUM CVE-2022-23540 [Improper Authentication]
+      https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0
+      Affected range : <9.0.0                                       
+      Fixed version  : 9.0.0                                        
+      CVSS Score     : 6.4                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L 
+    
+    ✗ MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment]
+      https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1
+      Affected range : <=8.5.1                                      
+      Fixed version  : 9.0.0                                        
+      CVSS Score     : 5.0                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L 
+    
+    ✗ UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
+      https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2
+      Affected range : <4.2.2 
+      Fixed version  : 4.2.2  
+    
+
+   1C     1H     2M     0L     1?  jsonwebtoken 0.4.0
+pkg:npm/jsonwebtoken@0.4.0
+
+    ✗ CRITICAL CVE-2015-9235 [Improper Input Validation]
+      https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2
+      Affected range : <4.2.2 
+      Fixed version  : 4.2.2  
+    
+    ✗ HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm]
+      https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1
+      Affected range : <=8.5.1                                      
+      Fixed version  : 9.0.0                                        
+      CVSS Score     : 8.1                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 
+    
+    ✗ MEDIUM CVE-2022-23540 [Improper Authentication]
+      https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0
+      Affected range : <9.0.0                                       
+      Fixed version  : 9.0.0                                        
+      CVSS Score     : 6.4                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L 
+    
+    ✗ MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment]
+      https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1
+      Affected range : <=8.5.1                                      
+      Fixed version  : 9.0.0                                        
+      CVSS Score     : 5.0                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L 
+    
+    ✗ UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
+      https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2
+      Affected range : <4.2.2 
+      Fixed version  : 4.2.2  
+    
+
+   1C     1H     0M     0L  crypto-js 3.3.0
+pkg:npm/crypto-js@3.3.0
+
+    ✗ CRITICAL CVE-2023-46233 [Use of a Broken or Risky Cryptographic Algorithm]
+      https://scout.docker.com/v/CVE-2023-46233?s=github&n=crypto-js&t=npm&vr=%3C4.2.0
+      Affected range : <4.2.0                                       
+      Fixed version  : 4.2.0                                        
+      CVSS Score     : 9.1                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 
+    
+    ✗ HIGH GMS-2020-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
+      https://scout.docker.com/v/GMS-2020-4?s=gitlab&n=crypto-js&t=npm&vr=%3E%3D3.3.0%2C%3C4.0.0
+      Affected range : >=3.3.0                    
+                     : <4.0.0                     
+      Fixed version  : 3.2.1, 4.0.0               
+      CVSS Score     : 7.5                        
+      CVSS Vector    : AV:N/AC:L/Au:N/C:P/I:P/A:P 
+    
+
+   1C     0H     1M     0L  minimist 0.2.4
+pkg:npm/minimist@0.2.4
+
+    ✗ CRITICAL CVE-2021-44906 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
+      https://scout.docker.com/v/CVE-2021-44906?s=gitlab&n=minimist&t=npm&vr=%3C1.2.6
+      Affected range : <1.2.6                                       
+      Fixed version  : 1.2.6                                        
+      CVSS Score     : 9.8                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 
+    
+    ✗ MEDIUM CVE-2020-7598 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
+      https://scout.docker.com/v/CVE-2020-7598?s=gitlab&n=minimist&t=npm&vr=%3C1.2.2
+      Affected range : <1.2.2                                       
+      Fixed version  : 1.2.2                                        
+      CVSS Score     : 5.6                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 
+    
+
+   1C     0H     0M     0L  marsdb 0.6.11
+pkg:npm/marsdb@0.6.11
+
+    ✗ CRITICAL GHSA-5mrr-rgp6-x4gr [Improper Neutralization of Special Elements used in a Command ('Command Injection')]
+      https://scout.docker.com/v/GHSA-5mrr-rgp6-x4gr?s=github&n=marsdb&t=npm&vr=%3E%3D0.0.0
+      Affected range : >=0.0.0   
+      Fixed version  : not fixed 
+    
+
+   0C     6H     1M     0L  tar 4.4.19
+pkg:npm/tar@4.4.19
+
+    ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding]
+      https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3
+      Affected range : <=7.5.3                                      
+      Fixed version  : 7.5.4                                        
+      CVSS Score     : 8.8                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L 
+    
+    ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10
+      Affected range : <=7.5.10                                                        
+      Fixed version  : 7.5.11                                                          
+      CVSS Score     : 8.2                                                             
+      CVSS Vector    : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N 
+    
+    ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9
+      Affected range : <=7.5.9                                                         
+      Fixed version  : 7.5.10                                                          
+      CVSS Score     : 8.2                                                             
+      CVSS Vector    : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L 
+    
+    ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7
+      Affected range : <7.5.7                                       
+      Fixed version  : 7.5.7                                        
+      CVSS Score     : 8.2                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N 
+    
+    ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2
+      Affected range : <=7.5.2                                                         
+      Fixed version  : 7.5.3                                                           
+      CVSS Score     : 8.2                                                             
+      CVSS Vector    : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N 
+    
+    ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8
+      Affected range : <7.5.8                                       
+      Fixed version  : 7.5.8                                        
+      CVSS Score     : 7.1                                          
+      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 
+    
+    ✗ MEDIUM CVE-2024-28863 [Uncontrolled Resource Consumption]
+      https://scout.docker.com/v/CVE-2024-28863?s=github&n=tar&t=npm&vr=%3C6.2.1
+      Affected range : <6.2.1                                       
+      Fixed version  : 6.2.1                                        
+      CVSS Score     : 6.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 
+    
+
+   0C     6H     0M     0L  tar 7.4.3
+pkg:npm/tar@7.4.3
+
+    ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding]
+      https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3
+      Affected range : <=7.5.3                                      
+      Fixed version  : 7.5.4                                        
+      CVSS Score     : 8.8                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L 
+    
+    ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10
+      Affected range : <=7.5.10                                                        
+      Fixed version  : 7.5.11                                                          
+      CVSS Score     : 8.2                                                             
+      CVSS Vector    : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N 
+    
+    ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9
+      Affected range : <=7.5.9                                                         
+      Fixed version  : 7.5.10                                                          
+      CVSS Score     : 8.2                                                             
+      CVSS Vector    : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L 
+    
+    ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7
+      Affected range : <7.5.7                                       
+      Fixed version  : 7.5.7                                        
+      CVSS Score     : 8.2                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N 
+    
+    ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2
+      Affected range : <=7.5.2                                                         
+      Fixed version  : 7.5.3                                                           
+      CVSS Score     : 8.2                                                             
+      CVSS Vector    : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N 
+    
+    ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8
+      Affected range : <7.5.8                                       
+      Fixed version  : 7.5.8                                        
+      CVSS Score     : 7.1                                          
+      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 
+    
+
+   0C     6H     0M     0L  tar 6.2.1
+pkg:npm/tar@6.2.1
+
+    ✗ HIGH CVE-2026-23950 [Improper Handling of Unicode Encoding]
+      https://scout.docker.com/v/CVE-2026-23950?s=github&n=tar&t=npm&vr=%3C%3D7.5.3
+      Affected range : <=7.5.3                                      
+      Fixed version  : 7.5.4                                        
+      CVSS Score     : 8.8                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L 
+    
+    ✗ HIGH CVE-2026-31802 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-31802?s=github&n=tar&t=npm&vr=%3C%3D7.5.10
+      Affected range : <=7.5.10                                                        
+      Fixed version  : 7.5.11                                                          
+      CVSS Score     : 8.2                                                             
+      CVSS Vector    : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N 
+    
+    ✗ HIGH CVE-2026-29786 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-29786?s=github&n=tar&t=npm&vr=%3C%3D7.5.9
+      Affected range : <=7.5.9                                                         
+      Fixed version  : 7.5.10                                                          
+      CVSS Score     : 8.2                                                             
+      CVSS Vector    : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L 
+    
+    ✗ HIGH CVE-2026-24842 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-24842?s=github&n=tar&t=npm&vr=%3C7.5.7
+      Affected range : <7.5.7                                       
+      Fixed version  : 7.5.7                                        
+      CVSS Score     : 8.2                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N 
+    
+    ✗ HIGH CVE-2026-23745 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-23745?s=github&n=tar&t=npm&vr=%3C%3D7.5.2
+      Affected range : <=7.5.2                                                         
+      Fixed version  : 7.5.3                                                           
+      CVSS Score     : 8.2                                                             
+      CVSS Vector    : CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N 
+    
+    ✗ HIGH CVE-2026-26960 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2026-26960?s=github&n=tar&t=npm&vr=%3C7.5.8
+      Affected range : <7.5.8                                       
+      Fixed version  : 7.5.8                                        
+      CVSS Score     : 7.1                                          
+      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 
+    
+
+   0C     4H     0M     0L  multer 1.4.5-lts.2
+pkg:npm/multer@1.4.5-lts.2
+
+    ✗ HIGH CVE-2026-3520 [Uncontrolled Recursion]
+      https://scout.docker.com/v/CVE-2026-3520?s=github&n=multer&t=npm&vr=%3C2.1.1
+      Affected range : <2.1.1                                                          
+      Fixed version  : 2.1.1                                                           
+      CVSS Score     : 8.7                                                             
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 
+    
+    ✗ HIGH CVE-2026-3304 [Incomplete Cleanup]
+      https://scout.docker.com/v/CVE-2026-3304?s=github&n=multer&t=npm&vr=%3C2.1.0
+      Affected range : <2.1.0                                                          
+      Fixed version  : 2.1.0                                                           
+      CVSS Score     : 8.7                                                             
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 
+    
+    ✗ HIGH CVE-2026-2359 [Missing Release of Resource after Effective Lifetime]
+      https://scout.docker.com/v/CVE-2026-2359?s=github&n=multer&t=npm&vr=%3C2.1.0
+      Affected range : <2.1.0                                                          
+      Fixed version  : 2.1.0                                                           
+      CVSS Score     : 8.7                                                             
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 
+    
+    ✗ HIGH CVE-2025-47935 [Missing Release of Memory after Effective Lifetime]
+      https://scout.docker.com/v/CVE-2025-47935?s=github&n=multer&t=npm&vr=%3C2.0.0
+      Affected range : <2.0.0                                       
+      Fixed version  : 2.0.0                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+
+   0C     3H     0M     0L  minimatch 9.0.5
+pkg:npm/minimatch@9.0.5
+
+    ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity]
+      https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.6
+      Affected range : >=9.0.0                                                         
+                     : <9.0.6                                                          
+      Fixed version  : 10.2.1                                                          
+      CVSS Score     : 8.7                                                             
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 
+    
+    ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity]
+      https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.7
+      Affected range : >=9.0.0                                      
+                     : <9.0.7                                       
+      Fixed version  : 9.0.7                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+    ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity]
+      https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3E%3D9.0.0%2C%3C9.0.7
+      Affected range : >=9.0.0                                      
+                     : <9.0.7                                       
+      Fixed version  : 9.0.7                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+
+   0C     3H     0M     0L  minimatch 5.1.6
+pkg:npm/minimatch@5.1.6
+
+    ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity]
+      https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.7
+      Affected range : >=5.0.0                                                         
+                     : <5.1.7                                                          
+      Fixed version  : 10.2.1                                                          
+      CVSS Score     : 8.7                                                             
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 
+    
+    ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity]
+      https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.8
+      Affected range : >=5.0.0                                      
+                     : <5.1.8                                       
+      Fixed version  : 5.1.8                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+    ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity]
+      https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3E%3D5.0.0%2C%3C5.1.8
+      Affected range : >=5.0.0                                      
+                     : <5.1.8                                       
+      Fixed version  : 5.1.8                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+
+   0C     3H     0M     0L  minimatch 3.1.2
+pkg:npm/minimatch@3.1.2
+
+    ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity]
+      https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3
+      Affected range : <3.1.3                                                          
+      Fixed version  : 10.2.1                                                          
+      CVSS Score     : 8.7                                                             
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 
+    
+    ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity]
+      https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4
+      Affected range : <3.1.4                                       
+      Fixed version  : 3.1.4                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+    ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity]
+      https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3
+      Affected range : <3.1.3                                       
+      Fixed version  : 3.1.3                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+
+   0C     3H     0M     0L  minimatch 3.0.8
+pkg:npm/minimatch@3.0.8
+
+    ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity]
+      https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3
+      Affected range : <3.1.3                                                          
+      Fixed version  : 10.2.1                                                          
+      CVSS Score     : 8.7                                                             
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 
+    
+    ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity]
+      https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4
+      Affected range : <3.1.4                                       
+      Fixed version  : 3.1.4                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+    ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity]
+      https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3
+      Affected range : <3.1.3                                       
+      Fixed version  : 3.1.3                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+
+   0C     3H     0M     0L  minimatch 3.0.5
+pkg:npm/minimatch@3.0.5
+
+    ✗ HIGH CVE-2026-26996 [Inefficient Regular Expression Complexity]
+      https://scout.docker.com/v/CVE-2026-26996?s=github&n=minimatch&t=npm&vr=%3C3.1.3
+      Affected range : <3.1.3                                                          
+      Fixed version  : 10.2.1                                                          
+      CVSS Score     : 8.7                                                             
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 
+    
+    ✗ HIGH CVE-2026-27904 [Inefficient Regular Expression Complexity]
+      https://scout.docker.com/v/CVE-2026-27904?s=github&n=minimatch&t=npm&vr=%3C3.1.4
+      Affected range : <3.1.4                                       
+      Fixed version  : 3.1.4                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+    ✗ HIGH CVE-2026-27903 [Inefficient Algorithmic Complexity]
+      https://scout.docker.com/v/CVE-2026-27903?s=github&n=minimatch&t=npm&vr=%3C3.1.3
+      Affected range : <3.1.3                                       
+      Fixed version  : 3.1.3                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+
+   0C     2H     1M     0L     1?  moment 2.0.0
+pkg:npm/moment@2.0.0
+
+    ✗ HIGH CVE-2022-24785 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2022-24785?s=github&n=moment&t=npm&vr=%3C2.29.2
+      Affected range : <2.29.2                                      
+      Fixed version  : 2.29.2                                       
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 
+    
+    ✗ HIGH CVE-2017-18214 [Uncontrolled Resource Consumption]
+      https://scout.docker.com/v/CVE-2017-18214?s=github&n=moment&t=npm&vr=%3C2.19.3
+      Affected range : <2.19.3                                      
+      Fixed version  : 2.19.3                                       
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+    ✗ MEDIUM CVE-2016-4055 [Uncontrolled Resource Consumption]
+      https://scout.docker.com/v/CVE-2016-4055?s=github&n=moment&t=npm&vr=%3C2.11.2
+      Affected range : <2.11.2                                      
+      Fixed version  : 2.11.2                                       
+      CVSS Score     : 6.5                                          
+      CVSS Vector    : CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 
+    
+    ✗ UNSPECIFIED GMS-2017-332 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
+      https://scout.docker.com/v/GMS-2017-332?s=gitlab&n=moment&t=npm&vr=%3C2.19.3
+      Affected range : <2.19.3 
+      Fixed version  : 2.19.3  
+    
+
+   0C     2H     0M     0L     1?  jws 0.2.6
+pkg:npm/jws@0.2.6
+
+    ✗ HIGH CVE-2016-1000223
+      https://scout.docker.com/v/CVE-2016-1000223?s=github&n=jws&t=npm&vr=%3C3.0.0
+      Affected range : <3.0.0                                       
+      Fixed version  : 3.0.0                                        
+      CVSS Score     : 8.7                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N 
+    
+    ✗ HIGH CVE-2025-65945 [Improper Verification of Cryptographic Signature]
+      https://scout.docker.com/v/CVE-2025-65945?s=github&n=jws&t=npm&vr=%3C3.2.3
+      Affected range : <3.2.3                                       
+      Fixed version  : 3.2.3                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 
+    
+    ✗ UNSPECIFIED GMS-2016-54 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
+      https://scout.docker.com/v/GMS-2016-54?s=gitlab&n=jws&t=npm&vr=%3C3.0.0
+      Affected range : <3.0.0 
+      Fixed version  : 3.0.0  
+    
+
+   0C     1H     6M     0L     2?  sanitize-html 1.4.2
+pkg:npm/sanitize-html@1.4.2
+
+    ✗ HIGH CVE-2022-25887 [Inefficient Regular Expression Complexity]
+      https://scout.docker.com/v/CVE-2022-25887?s=github&n=sanitize-html&t=npm&vr=%3C2.7.1
+      Affected range : <2.7.1                                       
+      Fixed version  : 2.7.1                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+    ✗ MEDIUM CVE-2019-25225 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
+      https://scout.docker.com/v/CVE-2019-25225?s=github&n=sanitize-html&t=npm&vr=%3C2.0.0-beta
+      Affected range : <2.0.0-beta                                  
+      Fixed version  : 2.0.0-beta                                   
+      CVSS Score     : 6.1                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 
+    
+    ✗ MEDIUM CVE-2016-1000237 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
+      https://scout.docker.com/v/CVE-2016-1000237?s=github&n=sanitize-html&t=npm&vr=%3C1.4.3
+      Affected range : <1.4.3                                       
+      Fixed version  : 1.4.3                                        
+      CVSS Score     : 6.1                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 
+    
+    ✗ MEDIUM CVE-2024-21501 [Exposure of Sensitive Information to an Unauthorized Actor]
+      https://scout.docker.com/v/CVE-2024-21501?s=github&n=sanitize-html&t=npm&vr=%3C2.12.1
+      Affected range : <2.12.1                                      
+      Fixed version  : 2.12.1                                       
+      CVSS Score     : 5.3                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 
+    
+    ✗ MEDIUM CVE-2021-26540 [Improper Input Validation]
+      https://scout.docker.com/v/CVE-2021-26540?s=github&n=sanitize-html&t=npm&vr=%3C2.3.2
+      Affected range : <2.3.2                                       
+      Fixed version  : 2.3.2                                        
+      CVSS Score     : 5.3                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 
+    
+    ✗ MEDIUM CVE-2021-26539 [Improper Input Validation]
+      https://scout.docker.com/v/CVE-2021-26539?s=github&n=sanitize-html&t=npm&vr=%3C2.3.1
+      Affected range : <2.3.1                                       
+      Fixed version  : 2.3.1                                        
+      CVSS Score     : 5.3                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 
+    
+    ✗ MEDIUM CVE-2017-16016 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
+      https://scout.docker.com/v/CVE-2017-16016?s=github&n=sanitize-html&t=npm&vr=%3C%3D1.11.1
+      Affected range : <=1.11.1 
+      Fixed version  : 1.11.4   
+    
+    ✗ UNSPECIFIED GMS-2016-57 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
+      https://scout.docker.com/v/GMS-2016-57?s=gitlab&n=sanitize-html&t=npm&vr=%3C%3D1.4.2
+      Affected range : <=1.4.2 
+      Fixed version  : 1.4.3   
+    
+    ✗ UNSPECIFIED GMS-2016-17 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
+      https://scout.docker.com/v/GMS-2016-17?s=gitlab&n=sanitize-html&t=npm&vr=%3C1.11.4
+      Affected range : <1.11.4 
+      Fixed version  : 1.11.4  
+    
+
+   0C     1H     1M     0L  socket.io 3.1.2
+pkg:npm/socket.io@3.1.2
+
+    ✗ HIGH GHSA-25hc-qcg6-38wj [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
+      https://scout.docker.com/v/GHSA-25hc-qcg6-38wj?s=gitlab&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2
+      Affected range : >=3.0.0                                      
+                     : <4.6.2                                       
+      Fixed version  : 2.5.1, 4.6.2                                 
+      CVSS Score     : 7.3                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 
+    
+    ✗ MEDIUM CVE-2024-38355 [Improper Input Validation]
+      https://scout.docker.com/v/CVE-2024-38355?s=github&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2
+      Affected range : >=3.0.0                                                         
+                     : <4.6.2                                                          
+      Fixed version  : 4.6.2                                                           
+      CVSS Score     : 6.9                                                             
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N 
+    
+
+   0C     1H     1M     0L  socket.io-parser 4.0.5
+pkg:npm/socket.io-parser@4.0.5
+
+    ✗ HIGH CVE-2026-33151 [Improper Check for Unusual or Exceptional Conditions]
+      https://scout.docker.com/v/CVE-2026-33151?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.0%2C%3C4.2.6
+      Affected range : >=4.0.0                                                         
+                     : <4.2.6                                                          
+      Fixed version  : 4.2.6                                                           
+      CVSS Score     : 8.7                                                             
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 
+    
+    ✗ MEDIUM CVE-2023-32695 [Improper Input Validation]
+      https://scout.docker.com/v/CVE-2023-32695?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.4%2C%3C4.2.3
+      Affected range : >=4.0.4                                                         
+                     : <4.2.3                                                          
+      Fixed version  : 4.2.3                                                           
+      CVSS Score     : 6.9                                                             
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N 
+    
+
+   0C     1H     1M     0L  validator 13.15.15
+pkg:npm/validator@13.15.15
+
+    ✗ HIGH CVE-2025-12758 [Encoding Error]
+      https://scout.docker.com/v/CVE-2025-12758?s=github&n=validator&t=npm&vr=%3C13.15.22
+      Affected range : <13.15.22                                                           
+      Fixed version  : 13.15.22                                                            
+      CVSS Score     : 7.7                                                                 
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P 
+    
+    ✗ MEDIUM CVE-2025-56200 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
+      https://scout.docker.com/v/CVE-2025-56200?s=github&n=validator&t=npm&vr=%3C13.15.20
+      Affected range : <13.15.20                                    
+      Fixed version  : 13.15.20                                     
+      CVSS Score     : 6.1                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 
+    
+
+   0C     1H     0M     0L  mout 1.2.4
+pkg:npm/mout@1.2.4
+
+    ✗ HIGH CVE-2020-7792 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
+      https://scout.docker.com/v/CVE-2020-7792?s=gitlab&n=mout&t=npm&vr=%3E%3D0
+      Affected range : >=0                                          
+      Fixed version  : not fixed                                    
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+
+   0C     1H     0M     0L  ws 7.4.6
+pkg:npm/ws@7.4.6
+
+    ✗ HIGH CVE-2024-37890 [NULL Pointer Dereference]
+      https://scout.docker.com/v/CVE-2024-37890?s=github&n=ws&t=npm&vr=%3E%3D7.0.0%2C%3C7.5.10
+      Affected range : >=7.0.0                                                         
+                     : <7.5.10                                                         
+      Fixed version  : 7.5.10                                                          
+      CVSS Score     : 8.7                                                             
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 
+    
+
+   0C     1H     0M     0L  lodash.set 4.3.2
+pkg:npm/lodash.set@4.3.2
+
+    ✗ HIGH CVE-2020-8203 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')]
+      https://scout.docker.com/v/CVE-2020-8203?s=github&n=lodash.set&t=npm&vr=%3E%3D3.7.0%2C%3C%3D4.3.2
+      Affected range : >=3.7.0                                      
+                     : <=4.3.2                                      
+      Fixed version  : not fixed                                    
+      CVSS Score     : 7.4                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H 
+    
+
+   0C     1H     0M     0L  braces 2.3.2
+pkg:npm/braces@2.3.2
+
+    ✗ HIGH CVE-2024-4068 [Excessive Platform Resource Consumption within a Loop]
+      https://scout.docker.com/v/CVE-2024-4068?s=github&n=braces&t=npm&vr=%3C3.0.3
+      Affected range : <3.0.3                                       
+      Fixed version  : 3.0.3                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+
+   0C     1H     0M     0L  tar-fs 2.1.3
+pkg:npm/tar-fs@2.1.3
+
+    ✗ HIGH CVE-2025-59343 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')]
+      https://scout.docker.com/v/CVE-2025-59343?s=github&n=tar-fs&t=npm&vr=%3E%3D2.0.0%2C%3C2.1.4
+      Affected range : >=2.0.0                                                         
+                     : <2.1.4                                                          
+      Fixed version  : 2.1.4                                                           
+      CVSS Score     : 8.7                                                             
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N 
+    
+
+   0C     1H     0M     0L  http-cache-semantics 3.8.1
+pkg:npm/http-cache-semantics@3.8.1
+
+    ✗ HIGH CVE-2022-25881 [Inefficient Regular Expression Complexity]
+      https://scout.docker.com/v/CVE-2022-25881?s=github&n=http-cache-semantics&t=npm&vr=%3C4.1.1
+      Affected range : <4.1.1                                       
+      Fixed version  : 4.1.1                                        
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
+    
+
+   0C     1H     0M     0L  express-jwt 0.1.3
+pkg:npm/express-jwt@0.1.3
+
+    ✗ HIGH CVE-2020-15084 [Improper Authorization]
+      https://scout.docker.com/v/CVE-2020-15084?s=github&n=express-jwt&t=npm&vr=%3C%3D5.3.3
+      Affected range : <=5.3.3                                      
+      Fixed version  : 6.0.0                                        
+      CVSS Score     : 7.7                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N 
+    
+
+   0C     1H     0M     0L  glob 10.4.5
+pkg:npm/glob@10.4.5
+
+    ✗ HIGH CVE-2025-64756 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')]
+      https://scout.docker.com/v/CVE-2025-64756?s=github&n=glob&t=npm&vr=%3E%3D10.2.0%2C%3C10.5.0
+      Affected range : >=10.2.0                                     
+                     : <10.5.0                                      
+      Fixed version  : 11.1.0                                       
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 
+    
+
+   0C     1H     0M     0L  sequelize 6.37.7
+pkg:npm/sequelize@6.37.7
+
+    ✗ HIGH CVE-2026-30951 [Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')]
+      https://scout.docker.com/v/CVE-2026-30951?s=github&n=sequelize&t=npm&vr=%3E%3D6.0.0-beta.1%2C%3C%3D6.37.7
+      Affected range : >=6.0.0-beta.1                               
+                     : <=6.37.7                                     
+      Fixed version  : 6.37.8                                       
+      CVSS Score     : 7.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 
+    
+
+   0C     1H     0M     0L  ip 2.0.1
+pkg:npm/ip@2.0.1
+
+    ✗ HIGH CVE-2024-29415 [Server-Side Request Forgery (SSRF)]
+      https://scout.docker.com/v/CVE-2024-29415?s=github&n=ip&t=npm&vr=%3C%3D2.0.1
+      Affected range : <=2.0.1                                      
+      Fixed version  : not fixed                                    
+      CVSS Score     : 8.1                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 
+    
+
+   0C     0H     1M     1L  qs 6.13.0
+pkg:npm/qs@6.13.0
+
+    ✗ MEDIUM CVE-2025-15284 [Improper Input Validation]
+      https://scout.docker.com/v/CVE-2025-15284?s=github&n=qs&t=npm&vr=%3C6.14.1
+      Affected range : <6.14.1                                                         
+      Fixed version  : 6.14.1                                                          
+      CVSS Score     : 6.3                                                             
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L 
+    
+    ✗ LOW CVE-2026-2391 [Improper Input Validation]
+      https://scout.docker.com/v/CVE-2026-2391?s=github&n=qs&t=npm&vr=%3E%3D6.7.0%2C%3C%3D6.14.1
+      Affected range : >=6.7.0                                      
+                     : <=6.14.1                                     
+      Fixed version  : 6.14.2                                       
+      CVSS Score     : 3.7                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 
+    
+
+   0C     0H     1M     0L  notevil 1.3.3
+pkg:npm/notevil@1.3.3
+
+    ✗ MEDIUM CVE-2021-23771 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')]
+      https://scout.docker.com/v/CVE-2021-23771?s=github&n=notevil&t=npm&vr=%3C%3D1.3.3
+      Affected range : <=1.3.3                                      
+      Fixed version  : not fixed                                    
+      CVSS Score     : 6.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 
+    
+
+   0C     0H     1M     0L  base64url 0.0.6
+pkg:npm/base64url@0.0.6
+
+    ✗ MEDIUM GHSA-rvg8-pwq2-xj7q [Out-of-bounds Read]
+      https://scout.docker.com/v/GHSA-rvg8-pwq2-xj7q?s=github&n=base64url&t=npm&vr=%3C3.0.0
+      Affected range : <3.0.0 
+      Fixed version  : 3.0.0  
+    
+
+   0C     0H     1M     0L  micromatch 3.1.10
+pkg:npm/micromatch@3.1.10
+
+    ✗ MEDIUM CVE-2024-4067 [Inefficient Regular Expression Complexity]
+      https://scout.docker.com/v/CVE-2024-4067?s=github&n=micromatch&t=npm&vr=%3C4.0.8
+      Affected range : <4.0.8                                       
+      Fixed version  : 4.0.8                                        
+      CVSS Score     : 5.3                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 
+    
+
+   0C     0H     1M     0L  got 8.3.2
+pkg:npm/got@8.3.2
+
+    ✗ MEDIUM CVE-2022-33987
+      https://scout.docker.com/v/CVE-2022-33987?s=github&n=got&t=npm&vr=%3C11.8.5
+      Affected range : <11.8.5                                      
+      Fixed version  : 11.8.5                                       
+      CVSS Score     : 5.3                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 
+    
+
+   0C     0H     1M     0L  lodash 4.17.21
+pkg:npm/lodash@4.17.21
+
+    ✗ MEDIUM CVE-2025-13465 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')]
+      https://scout.docker.com/v/CVE-2025-13465?s=github&n=lodash&t=npm&vr=%3E%3D4.0.0%2C%3C%3D4.17.22
+      Affected range : >=4.0.0                                                             
+                     : <=4.17.22                                                           
+      Fixed version  : 4.17.23                                                             
+      CVSS Score     : 6.9                                                                 
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P 
+    
+
+   0C     0H     1M     0L  hbs 4.2.0
+pkg:npm/hbs@4.2.0
+
+    ✗ MEDIUM CVE-2021-32822 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
+      https://scout.docker.com/v/CVE-2021-32822?s=gitlab&n=hbs&t=npm&vr=%3E%3D0
+      Affected range : >=0                                          
+      Fixed version  : not fixed                                    
+      CVSS Score     : 5.3                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 
+    
+
+   0C     0H     1M     0L  file-type 16.5.4
+pkg:npm/file-type@16.5.4
+
+    ✗ MEDIUM CVE-2026-31808 [Loop with Unreachable Exit Condition ('Infinite Loop')]
+      https://scout.docker.com/v/CVE-2026-31808?s=github&n=file-type&t=npm&vr=%3E%3D13.0.0%2C%3C21.3.1
+      Affected range : >=13.0.0                                     
+                     : <21.3.1                                      
+      Fixed version  : 21.3.1                                       
+      CVSS Score     : 5.3                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 
+    
+
+   0C     0H     1M     0L  js-yaml 3.14.1
+pkg:npm/js-yaml@3.14.1
+
+    ✗ MEDIUM CVE-2025-64718 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')]
+      https://scout.docker.com/v/CVE-2025-64718?s=github&n=js-yaml&t=npm&vr=%3C3.14.2
+      Affected range : <3.14.2                                      
+      Fixed version  : 4.1.1                                        
+      CVSS Score     : 5.3                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 
+    
+
+   0C     0H     1M     0L  engine.io 4.1.2
+pkg:npm/engine.io@4.1.2
+
+    ✗ MEDIUM CVE-2022-41940 [Uncaught Exception]
+      https://scout.docker.com/v/CVE-2022-41940?s=github&n=engine.io&t=npm&vr=%3E%3D4.0.0%2C%3C6.2.1
+      Affected range : >=4.0.0                                      
+                     : <6.2.1                                       
+      Fixed version  : 6.2.1                                        
+      CVSS Score     : 6.5                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 
+    
+
+   0C     0H     1M     0L  dottie 2.0.6
+pkg:npm/dottie@2.0.6
+
+    ✗ MEDIUM CVE-2026-27837 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')]
+      https://scout.docker.com/v/CVE-2026-27837?s=github&n=dottie&t=npm&vr=%3E%3D2.0.4%2C%3C%3D2.0.6
+      Affected range : >=2.0.4                                      
+                     : <=2.0.6                                      
+      Fixed version  : 2.0.7                                        
+      CVSS Score     : 6.3                                          
+      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L 
+    
+
+   0C     0H     0M     1L  @tootallnate/once 1.1.2
+pkg:npm/%40tootallnate/once@1.1.2
+
+    ✗ LOW CVE-2026-3449 [Incorrect Control Flow Scoping]
+      https://scout.docker.com/v/CVE-2026-3449?s=github&n=once&ns=%40tootallnate&t=npm&vr=%3C3.0.1
+      Affected range : <3.0.1                                                              
+      Fixed version  : 3.0.1                                                               
+      CVSS Score     : 1.9                                                                 
+      CVSS Vector    : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P 
+    
+
+   0C     0H     0M     1L  diff 4.0.2
+pkg:npm/diff@4.0.2
+
+    ✗ LOW CVE-2026-24001 [Inefficient Regular Expression Complexity]
+      https://scout.docker.com/v/CVE-2026-24001?s=github&n=diff&t=npm&vr=%3E%3D4.0.0%2C%3C4.0.4
+      Affected range : >=4.0.0                                                             
+                     : <4.0.4                                                              
+      Fixed version  : 4.0.4                                                               
+      CVSS Score     : 2.7                                                                 
+      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U 
+    
+
+   0C     0H     0M     1L  @tootallnate/once 2.0.0
+pkg:npm/%40tootallnate/once@2.0.0
+
+    ✗ LOW CVE-2026-3449 [Incorrect Control Flow Scoping]
+      https://scout.docker.com/v/CVE-2026-3449?s=github&n=once&ns=%40tootallnate&t=npm&vr=%3C3.0.1
+      Affected range : <3.0.1                                                              
+      Fixed version  : 3.0.1                                                               
+      CVSS Score     : 1.9                                                                 
+      CVSS Vector    : CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P 
+    
+
+   0C     0H     0M     1L  cookie 0.4.2
+pkg:npm/cookie@0.4.2
+
+    ✗ LOW CVE-2024-47764 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')]
+      https://scout.docker.com/v/CVE-2024-47764?s=github&n=cookie&t=npm&vr=%3C0.7.0
+      Affected range : <0.7.0 
+      Fixed version  : 0.7.0  
+    
+
+
+118 vulnerabilities found in 48 packages
+  CRITICAL     11 
+  HIGH         65 
+  MEDIUM       30 
+  LOW          5  
+  UNSPECIFIED  7  
+