registry  /  @bonsae/nrg  /  0.32.0

@bonsae/nrg@0.32.0

NRG framework — build Node-RED nodes with Vue 3, TypeScript, and JSON Schema

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 422 KB of source, external domains: 127.0.0.1, bonsaedev.github.io, json-schema.org, raw.githubusercontent.com

Source & flagged code

5 flagged · loading source
vite/index.jsView file
265// src/tools/vite/node-red-launcher/entry-point.ts L266: import { exec } from "child_process"; L267: import { randomUUID } from "crypto";
High
Child Process

Package source references child process execution.

vite/index.jsView on unpkg · L265
96Cross-file remote execution chain: vite/index.js spawns lib/server/resources/nrg.229bba2d.js; helper contains network access plus dynamic code execution. L96: function getPackageName() { L97: const pkgPath = path.resolve("./package.json"); L98: if (fs.existsSync(pkgPath)) { L99: try { L100: const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8")); L101: return pkg.name; ... L265: // src/tools/vite/node-red-launcher/entry-point.ts L266: import { exec } from "child_process"; L267: import { randomUUID } from "crypto"; ... L276: try { L277: const require_ = createRequire(path2.join(process.cwd(), "package.json")); L278: const pkgJsonPath = require_.resolve("node-red/package.json");
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

vite/index.jsView on unpkg · L96
276try { L277: const require_ = createRequire(path2.join(process.cwd(), "package.json")); L278: const pkgJsonPath = require_.resolve("node-red/package.json");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

vite/index.jsView on unpkg · L276
96function getPackageName() { L97: const pkgPath = path.resolve("./package.json"); L98: if (fs.existsSync(pkgPath)) { L99: try { L100: const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8")); L101: return pkg.name; ... L265: // src/tools/vite/node-red-launcher/entry-point.ts L266: import { exec } from "child_process"; L267: import { randomUUID } from "crypto"; ... L276: try { L277: const require_ = createRequire(path2.join(process.cwd(), "package.json")); L278: const pkgJsonPath = require_.resolve("node-red/package.json");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

vite/index.jsView on unpkg · L96
lib/server/resources/nrg.229bba2d.jsView file
5|| (${C} === "string" && ${_} && ${_} == +${_} && !(${_} % 1))`).assign(q,(0,n._)`+${_}`);return;case"boolean":g.elseIf((0,n._)`${_} === "false" || ${_} === 0 || ${_} === null`).as... L6: || ${C} === "boolean" || ${_} === null`).assign(q,(0,n._)`[${_}]`)}}}function b({gen:a,parentData:i,parentDataProperty:w},g){a.if((0,n._)`${i} !== undefined`,()=>a.assign((0,n._)`$... L7: missingProperty: ${S},
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/server/resources/nrg.229bba2d.jsView on unpkg · L5

Findings

3 High3 Medium5 Low
HighChild Processvite/index.js
HighShell
HighCross File Remote Execution Contextvite/index.js
MediumDynamic Requirevite/index.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvallib/server/resources/nrg.229bba2d.js
LowWeak Cryptovite/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings