registry  /  @arcgis/core  /  5.1.12

@arcgis/core@5.1.12

⚠ Under review

ArcGIS Maps SDK for JavaScript: A complete 2D and 3D mapping and data visualization API

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
NoLicense
scanned 5,017 file(s), 22.8 MB of source, external domains: api.fabric.microsoft.com, arcg.is, basemaps3d.arcgis.com, basemapstyles-api.arcgis.com, cdn.arcgis.com, cdndev.arcgis.com, cdnqa.arcgis.com, desktop.arcgis.com, dev.arcgis.com, dev.virtualearth.net, developer.mozilla.org, developers.arcgis.com, devext.arcgis.com, devtopia.esri.com, doc.arcgis.com, en.wikipedia.org, esriurl.com, geocode-api.arcgis.com, github.com, js.arcgis.com, json-schema.org, places-api.arcgis.com, qaext.arcgis.com, raw.githubusercontent.com, resources.arcgis.com, route-api.arcgis.com, server.arcgisonline.com, services.arcgisonline.com, static.arcgis.com, utility.arcgis.com, utility.arcgisonline.com, www.arcgis.com, www.esri.com, www.esriurl.com, www.opengis.net, www.w3.org

Source & flagged code

5 flagged · loading source
core/libs/rbush/PooledRBush.jsView file
1/* COPYRIGHT Esri - https://js.arcgis.com/5.1.12/LICENSE.txt */ L2: import{indexOf as t,PositionHint as i}from"../../arrayUtils.js";import{toConst as n}from"../../compilerUtils.js";import"../../has.js";import e from"../../PooledArray.js";import{q a...
Low
Eval

Package source references a known benign dynamic code generation pattern.

core/libs/rbush/PooledRBush.jsView on unpkg · L1
core/workers/workerFactory.jsView file
1/* COPYRIGHT Esri - https://js.arcgis.com/5.1.12/LICENSE.txt */ L2: import{getAssetUrl as e}from"../../assets.js";import r from"../../config.js";import{getLocale as t}from"../../intl.js";import{fullVersion as o}from"../../kernel.js";import has from...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

core/workers/workerFactory.jsView on unpkg · L1
views/3d/analysis/ShadowCast/ShadowCastTooltip.jsView file
2contains invisible/control Unicode U+2068 (first strong isolate) import{__decorate as t}from"tslib";import o from"../../../../core/Accessor.js";import{createTask as i}from"../../../../core/asyncUtils.js";import{makeHandle as e}from"../../../../core/handleUtils.js";import"../../../../core/has.js";import{c
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

views/3d/analysis/ShadowCast/ShadowCastTooltip.jsView on unpkg · L2
assets/esri/core/libs/libtess/libtess-f32.wasmView file
path = [redacted]-f32.wasm kind = wasm_module sizeBytes = 74691 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

assets/esri/core/libs/libtess/libtess-f32.wasmView on unpkg
assets/esri/views/3d/environment/resources/stars.wsvView file
path = [redacted].wsv kind = high_entropy_blob sizeBytes = 81864 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/esri/views/3d/environment/resources/stars.wsvView on unpkg

Findings

1 Critical1 High6 Medium7 Low
CriticalTrojan Source Unicodeviews/3d/analysis/ShadowCast/ShadowCastTooltip.js
HighShips High Entropy Blobassets/esri/views/3d/environment/resources/stars.wsv
MediumDynamic Requirecore/workers/workerFactory.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Wasm Moduleassets/esri/core/libs/libtess/libtess-f32.wasm
MediumStructural Risk Force Deep Review
LowEvalcore/libs/rbush/PooledRBush.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License