I need you to help find package manifest files in this repository and check for known vulnerabilities. You have access to the following tools to explore the repository:

1. list_directory(directory=""): Lists files in the given directory
2. read_file(file_path=""): Reads the contents of a specified file
3. grep_search(pattern=""): Searches for patterns across files
4. lookup_vulnerabilities(package_name="", package_version="", language=""): Looks up known vulnerabilities for a specific package version

Please use these tools to:
1. Find ALL package manifest files in the repository
2. Read and analyze these files to extract package names and exact versions
3. Use the lookup_vulnerabilities tool to check for known security vulnerabilities for each package

IMPORTANT: Only report packages that are ACTUALLY in manifest files - do not hallucinate or guess packages based on imports, function calls, or any other code. Only list packages explicitly defined in manifest files with exact versions.

First, determine what programming languages are used in the repository by examining file extensions:
- JavaScript/TypeScript: .js, .jsx, .ts, .tsx files
- Python: .py files
- Go: .go files
- Ruby: .rb files
- Java: .java files
- Rust: .rs files
- PHP: .php files

Then, use list_directory and grep_search to find specific manifest files matching these patterns:
- JavaScript/Node.js: package.json
- Python: requirements.txt, setup.py, Pipfile.lock
- Go: go.mod
- Ruby: Gemfile, Gemfile.lock, *.gemspec
- Java: pom.xml, build.gradle
- Rust: Cargo.toml
- PHP: composer.json

After finding manifest files, read them completely and extract exact version information:
- For package.json: Look in "dependencies", "devDependencies", and "peerDependencies" sections
- For requirements.txt: Extract package names and versions (format usually: package==version)
- For go.mod: Extract require statements with exact versions
- For Gemfile.lock: Look in the GEM section for exact versions
- For pom.xml: Extract groupId, artifactId, and version for each dependency
- For Cargo.toml: Extract dependencies section with exact versions

CRITICAL: For EVERY package and version you identify, you MUST call the lookup_vulnerabilities tool to check for vulnerabilities.

Examples of correct tool usage:

For JavaScript/Node.js package:
```
lookup_vulnerabilities(package_name="express", package_version="4.17.1", language="Node.js")
```

For Python package:
```
lookup_vulnerabilities(package_name="django", package_version="3.1.5", language="Python")
```

For Java package:
```
lookup_vulnerabilities(package_name="org.springframework:spring-core", package_version="5.3.8", language="Java")
```

DO NOT skip this step. Each package you find MUST be checked individually with this tool to get vulnerability information.

Return the results in this format and ONLY this format:

```json
{
    "Language": [
        {
            "name": "package_name",
            "version": "version_number",
            "vulnerabilities": [
                {
                    "id": "CVE-ID",
                    "description": "Short description of vulnerability",
                    "severity": "Critical/High/Medium/Low"
                }
            ]
        },
        ...
    ],
    ...
}
```

If no vulnerabilities are found for a package, include an empty array for vulnerabilities.

Important guidelines:
1. Only include packages with explicit version numbers (e.g., "4.2.1")
2. Skip packages with version ranges or wildcards (e.g., "^4.2.0", "~3.1", "*")
3. Return your final answer only as a JSON object inside a code block as shown above
4. Do not include any explanatory text outside the JSON code block in your final answer
5. ONLY include languages and packages you've found actual manifest files for
6. A repository that uses JavaScript should NOT have Go packages unless go.mod files are present
7. Use the lookup_vulnerabilities tool for EVERY package you identify
8. Include the CVE ID, description, and severity for each vulnerability

CRITICAL: If you don't find any manifest files for a particular language, DO NOT include that language in your response. For example, if you don't find any go.mod files, do not include "Go" in your JSON response, even if you see import statements or other references to Go.
