registry  /  @absolutejs/absolute  /  0.19.0-beta.1088

@absolutejs/absolute@0.19.0-beta.1088

A fullstack meta-framework for building web applications with TypeScript

Static Scan Results

scanned 13d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 76 file(s), 7.89 MB of source, external domains: absolutejs.com, angular.dev, brew.sh, cdn.jsdelivr.net, fonts.googleapis.com, fonts.gstatic.com, github.com, json-schema.org, placeholder.local, react.dev, reactjs.org, schema.org, tailwindcss.com, unpkg.com, www.npmjs.com, www.sitemaps.org, www.w3.org
Oversized source lightweight scan
dist/cli/index.js8.85 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsShellWebSocketDynamicRequireObfuscatedHighEntropyStringsUrlStringsabsolutejs.combrew.shgithub.com

Source & flagged code

10 flagged · loading source
dist/build.jsView file
10782try { L10783: return __require("child_process").execSync("ldd --version", { encoding: "utf8" }).includes("musl"); L10784: } catch (e) {
High
Child Process

Package source references child process execution.

dist/build.jsView on unpkg · L10782
dist/index.jsView file
16335spawnSync(`tsc`, { L16336: shell: true, L16337: cwd: tmpRoot,
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L16335
dist/svelte/server.jsView file
876STYLE_LANGUAGE_PATTERN = /^(s[ac]ss|less|styl(?:us)?)$/i; L877: importOptionalPeer = new Function("specifier", "return import(specifier)"); L878: requireOptionalPeer = new Function("specifier", "return require(specifier)");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/svelte/server.jsView on unpkg · L876
876STYLE_LANGUAGE_PATTERN = /^(s[ac]ss|less|styl(?:us)?)$/i; L877: importOptionalPeer = new Function("specifier", "return import(specifier)"); L878: requireOptionalPeer = new Function("specifier", "return require(specifier)");
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/svelte/server.jsView on unpkg · L876
103const exportKey = subpath ? `./${subpath}` : "."; L104: const currentPackageJsonPath = resolve(process.cwd(), "package.json"); L105: const currentPackageJson = existsSync(currentPackageJsonPath) ? JSON.parse(readFileSync(currentPackageJsonPath, "utf-8")) : null; L106: const currentPackageDir = currentPackageJson?.name === packageName ? process.cwd() : null; ... L136: // src/constants.ts L137: var ANGULAR_INIT_TIMEOUT_MS = 500, ANSI_ESCAPE_CODE = 27, ANSI_ESCAPE_LENGTH = 3, ASCII_SPACE = 32, BASE_36_RADIX = 36, BUN_BUILD_WARNING_SUPPRESSION = "wildcard sideEffects are no... L138: var init_constants = __esm(() => { ... L876: STYLE_LANGUAGE_PATTERN = /^(s[ac]ss|less|styl(?:us)?)$/i; L877: importOptionalPeer = new Function("specifier", "return import(specifier)"); L878: requireOptionalPeer = new Function("specifier", "return require(specifier)"); ... L923: } L924: if (!sourcePath.includes(`${join3(process.cwd(), "build")}${process.platform === "win32" ? "" : "/"}`) && !sourcePath.includes("/build/")) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/svelte/server.jsView on unpkg · L103
dist/vue/server.jsView file
81// src/constants.ts L82: var ANGULAR_INIT_TIMEOUT_MS = 500, ANSI_ESCAPE_CODE = 27, ANSI_ESCAPE_LENGTH = 3, ASCII_SPACE = 32, BASE_36_RADIX = 36, BUN_BUILD_WARNING_SUPPRESSION = "wildcard sideEffects are no... L83: var init_constants = __esm(() => { ... L140: return storage; L141: }, normalizeCallsitePath = (value) => value.replace(`${process.cwd()}/`, "").replace(process.cwd(), "").replace(/^\.\/+/, ""), shouldIgnoreRouteCallsiteFrame = (frame) => frame.inc... L142: const location = stack.split(` ... L213: return headers; L214: }, computeEtag = (html) => `W/"${createHash("sha1").update(html).digest("base64url")}"`, withPageCacheHeaders = async (response, request, options) => { L215: const contentType = response.headers.get("content-type") ?? ""; ... L1174: while (dir !== parse(dir).root) { L1175: const candidate = join2(dir, "package.json"); L1176: const version = checkCandidate(candidate);
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

dist/vue/server.jsView on unpkg · L81
dist/cli/config/server.jsView file
175Cross-file remote execution chain: dist/cli/config/server.js spawns dist/svelte/index.js; helper contains network access plus dynamic code execution. L175: function warnAboutAccessingKey() { L176: specialPropKeyWarningShown || (specialPropKeyWarningShown = true, console.error("%s: `key` is not a prop. Trying to access it will result in `undefined` being returned. If you need... L177: } ... L1552: function writeChunk(destination, chunk) { L1553: chunk.length !== 0 && destination.write(chunk); L1554: } ... L1793: for (index = match.index;index < text.length; index++) { L1794: switch (text.charCodeAt(index)) { L1795: case 34: ... L14125: } L14126: function isPrivateNameConflicted(privateNameMap, element) { L14127: var name = element.key.name;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli/config/server.jsView on unpkg · L175
dist/tailwindcss-oxide.linux-x64-gnu-vcb5zrt4.nodeView file
path = dist/tailwindcss-oxide.linux-x64-gnu-vcb5zrt4.node kind = native_binary sizeBytes = 2993280 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/tailwindcss-oxide.linux-x64-gnu-vcb5zrt4.nodeView on unpkg
dist/cli/index.jsView file
path = dist/cli/index.js kind = oversized_source_file sizeBytes = 9283729 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli/index.jsView on unpkg
path = dist/cli/index.js kind = oversized_cli_entrypoint sizeBytes = 9283729 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli/index.jsView on unpkg

Findings

5 High6 Medium8 Low
HighChild Processdist/build.js
HighShelldist/index.js
HighHost Fingerprint Exfiltrationdist/vue/server.js
HighCross File Remote Execution Contextdist/cli/config/server.js
HighOversized Source Filedist/cli/index.js
MediumDynamic Requiredist/svelte/server.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarydist/tailwindcss-oxide.linux-x64-gnu-vcb5zrt4.node
MediumOversized Cli Entrypointdist/cli/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/svelte/server.js
LowWeak Cryptodist/svelte/server.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings