Audits iOS dependencies via osv-scanner recursively over the
ios/ directory.
What gets scanned
osv-scanner understands:
Package.resolved— Swift Package Manager (when SwiftPM is used)Podfile.lock— CocoaPods
Mob's iOS template does not depend on either by default — the iOS
bridge is built with raw .m / .swift files plus the bundled OTP
static libs (libcrypto.a, libbeam.a, etc.). Those static libs are
audited by the :bundled_runtime layer; this layer only covers
application-level iOS dependencies.
In a stock Mob app this layer typically reports :not_applicable,
which is the correct signal — there's no iOS dependency manifest
to audit because the app pulls nothing from CocoaPods/SwiftPM.