registry  /  @bonsae/nrg  /  0.36.0

@bonsae/nrg@0.36.0

NRG framework — build Node-RED nodes with Vue 3, TypeScript, and JSON Schema

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 437 KB of source, external domains: 127.0.0.1, bonsaedev.github.io, json-schema.org, raw.githubusercontent.com

Source & flagged code

5 flagged · loading source
vite/index.jsView file
277// src/tools/vite/node-red-launcher/entry-point.ts L278: import { exec } from "node:child_process"; L279: import { randomUUID } from "node:crypto";
High
Child Process

Package source references child process execution.

vite/index.jsView on unpkg · L277
95Cross-file remote execution chain: vite/index.js spawns lib/server/resources/nrg.0682c337.js; helper contains network access plus dynamic code execution. L95: function getPackageName() { L96: const pkgPath = path.resolve("./package.json"); L97: if (fs.existsSync(pkgPath)) { L98: try { L99: const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8")); L100: return pkg.name; ... L277: // src/tools/vite/node-red-launcher/entry-point.ts L278: import { exec } from "node:child_process"; L279: import { randomUUID } from "node:crypto"; ... L288: try { L289: const require_ = createRequire(path2.join(process.cwd(), "package.json")); L290: const pkgJsonPath = require_.resolve("node-red/package.json");
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

vite/index.jsView on unpkg · L95
288try { L289: const require_ = createRequire(path2.join(process.cwd(), "package.json")); L290: const pkgJsonPath = require_.resolve("node-red/package.json");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

vite/index.jsView on unpkg · L288
95function getPackageName() { L96: const pkgPath = path.resolve("./package.json"); L97: if (fs.existsSync(pkgPath)) { L98: try { L99: const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8")); L100: return pkg.name; ... L277: // src/tools/vite/node-red-launcher/entry-point.ts L278: import { exec } from "node:child_process"; L279: import { randomUUID } from "node:crypto"; ... L288: try { L289: const require_ = createRequire(path2.join(process.cwd(), "package.json")); L290: const pkgJsonPath = require_.resolve("node-red/package.json");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

vite/index.jsView on unpkg · L95
lib/server/resources/nrg.0682c337.jsView file
5|| (${I} === "string" && ${_} && ${_} == +${_} && !(${_} % 1))`).assign(q,(0,n._)`+${_}`);return;case"boolean":g.elseIf((0,n._)`${_} === "false" || ${_} === 0 || ${_} === null`).as... L6: || ${I} === "boolean" || ${_} === null`).assign(q,(0,n._)`[${_}]`)}}}function b({gen:a,parentData:i,parentDataProperty:w},g){a.if((0,n._)`${i} !== undefined`,()=>a.assign((0,n._)`$... L7: missingProperty: ${x},
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/server/resources/nrg.0682c337.jsView on unpkg · L5

Findings

3 High4 Medium5 Low
HighChild Processvite/index.js
HighShell
HighCross File Remote Execution Contextvite/index.js
MediumDynamic Requirevite/index.js
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowEvallib/server/resources/nrg.0682c337.js
LowWeak Cryptovite/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings