registry  /  @10stars/config  /  16.2.0

@10stars/config@16.2.0

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 8 file(s), 28.2 KB of source

Source & flagged code

3 flagged · loading source
src/vscode-config.tsView file
1import { execSync } from "node:child_process" L2: import fs from "node:fs/promises"
High
Child Process

Package source references child process execution.

src/vscode-config.tsView on unpkg · L1
121console.info(`Written: ${settingsPath}`) L122: execSync("bunx oxfmt", { cwd: vscodeDir, stdio: `inherit` }) L123: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/vscode-config.tsView on unpkg · L121
src/link-packages.tsView file
21export const checkIsMonorepo = async (pathPkg: string) => { L22: const pkgJson = await import(path.join(pathPkg, `package.json`)) L23: return Boolean(pkgJson.workspaces)
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/link-packages.tsView on unpkg · L21

Findings

3 High3 Medium4 Low
HighChild Processsrc/vscode-config.ts
HighShell
HighRuntime Package Installsrc/vscode-config.ts
MediumDynamic Requiresrc/link-packages.ts
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowNo License