registry  /  @builder.io/dev-tools  /  1.72.3

@builder.io/dev-tools@1.72.3

⚠ Under review

Builder.io Visual CMS Devtools

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 20 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 1.67 MB of source, external domains: acme.com, airbnb.com, api.builder.io, builder.io, cdn.builder.io, dev.acme.com, example.com, feross.org, github.com, instagram.com, nodejs.org, s.io, www.builder.io, www.w3.org
Oversized source lightweight scan
cli/index.cjs4.77 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsbuilder.iofeross.orggithub.com
server/index.cjs2.59 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoShellHighEntropyStringsMinifiedUrlStringsacme.comairbnb.comapi.builder.iobuilder.iocdn.builder.iodev.acme.comexample.cominstagram.comwww.builder.iowww.w3.org
server/index.mjs2.58 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsShellHighEntropyStringsMinifiedUrlStringsacme.comairbnb.comapi.builder.iobuilder.iocdn.builder.iodev.acme.comexample.cominstagram.comwww.builder.iowww.w3.org

Source & flagged code

13 flagged · loading source
node/index.cjsView file
3\r L4: `),t.destroy();this.connections.clear(),this.stopHealthMonitoring()}startHealthMonitoring(){this.healthCheckInterval||(this.healthCheckInterval=setInterval(()=>{this.performHealthC... L5: `);for(let a=n;a<i.length;a++){let c=i[a];c.length>1024&&(c=c.slice(0,1024));let u=mc.test(c)?c.replace(mc,"$1"):c;if(!u.includes("Error: ")){for(let p of t){let f=p(u);if(f){s.pus...
High
Child Process

Package source references child process execution.

node/index.cjsView on unpkg · L3
1"use strict";var Bd=Object.create;var vr=Object.defineProperty;var Gd=Object.getOwnPropertyDescriptor;var Hd=Object.getOwnPropertyNames;var jd=Object.getPrototypeOf,$d=Object.proto... L2: `)}function Jd(e,t,r){return{debug(...n){if(!t())return;let{callArgs:o,options:s}=lt(n);Cn(s.stderr?process.stderr:process.stdout,"DEBUG",r,o)},info(...n){if(e>dt.info)return;let{c... L3: \r L4: `),t.destroy();this.connections.clear(),this.stopHealthMonitoring()}startHealthMonitoring(){this.healthCheckInterval||(this.healthCheckInterval=setInterval(()=>{this.performHealthC... L5: `);for(let a=n;a<i.length;a++){let c=i[a];c.length>1024&&(c=c.slice(0,1024));let u=mc.test(c)?c.replace(mc,"$1"):c;if(!u.includes("Error: ")){for(let p of t){let f=p(u);if(f){s.pus... ... L13: Reason: ${d}`))})}_process(t,r){this._numProcessing++,this._promiseBuffer.add(t).then(n=>(this._numProcessing--,n),n=>(this._numProcessing--,n===en&&this.recordDroppedEvent("queue_... L14: `)}var Fg=1024*1024;function gp(e){return e==="small"?1e3:e==="medium"?1e4:Fg}function Vi(e){let t=Object.create(null);try{Object.entries(e).forEach(([r,n])=>{typeof n=="string"?t[... L15: Event: ${gt(e)}`),!0}else{if(Zg(e,t.ignoreErrors))retu
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

node/index.cjsView on unpkg · L1
1"use strict";var Bd=Object.create;var vr=Object.defineProperty;var Gd=Object.getOwnPropertyDescriptor;var Hd=Object.getOwnPropertyNames;var jd=Object.getPrototypeOf,$d=Object.proto... L2: `)}function Jd(e,t,r){return{debug(...n){if(!t())return;let{callArgs:o,options:s}=lt(n);Cn(s.stderr?process.stderr:process.stdout,"DEBUG",r,o)},info(...n){if(e>dt.info)return;let{c... L3: \r L4: `),t.destroy();this.connections.clear(),this.stopHealthMonitoring()}startHealthMonitoring(){this.healthCheckInterval||(this.healthCheckInterval=setInterval(()=>{this.performHealthC... L5: `);for(let a=n;a<i.length;a++){let c=i[a];c.length>1024&&(c=c.slice(0,1024));let u=mc.test(c)?c.replace(mc,"$1"):c;if(!u.includes("Error: ")){for(let p of t){let f=p(u);if(f){s.pus... ... L13: Reason: ${d}`))})}_process(t,r){this._numProcessing++,this._promiseBuffer.add(t).then(n=>(this._numProcessing--,n),n=>(this._numProcessing--,n===en&&this.recordDroppedEvent("queue_... L14: `)}var Fg=1024*1024;function gp(e){return e==="small"?1e3:e==="medium"?1e4:Fg}function Vi(e){let t=Object.create(null);try{Object.entries(e).forEach(([r,n])=>{typeof n=="string"?t[... L15: Event: ${gt(e)}`),!0}else{if(Zg(e,t.ignoreErrors))retu
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

node/index.cjsView on unpkg · L1
12patternName = generic_password severity = medium line = 12 matchedText = `)}`)}fu...ent.
Medium
Secret Pattern

Package contains a possible secret pattern.

node/index.cjsView on unpkg · L12
next/index.cjsView file
24if (opts.enabled !== false) { L25: const { BuilderDevToolsPlugin } = require("../webpack/index.cjs"); L26: config.plugins.push(new BuilderDevToolsPlugin(opts));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

next/index.cjsView on unpkg · L24
node/index.mjsView file
13patternName = generic_password severity = medium line = 13 matchedText = `)}`)}fu...ent.
Medium
Secret Pattern

Hardcoded password in node/index.mjs

node/index.mjsView on unpkg · L13
1import { createRequire } from 'module'; const require = createRequire(import.meta.url); L2: var Rd=Object.create;var In=Object.defineProperty;var Ad=Object.getOwnPropertyDescriptor;var vd=Object.getOwnPropertyNames;var Nd=Object.getPrototypeOf,xd=Object.prototype.hasOwnPr... L3: `)}function Pd(e,t,r){return{debug(...n){if(!t())return;let{callArgs:o,options:s}=ft(n);Rn(s.stderr?process.stderr:process.stdout,"DEBUG",r,o)},info(...n){if(e>lt.info)return;let{c... L4: \r L5: `),t.destroy();this.connections.clear(),this.stopHealthMonitoring()}startHealthMonitoring(){this.healthCheckInterval||(this.healthCheckInterval=setInterval(()=>{this.performHealthC... L6: `);for(let a=n;a<i.length;a++){let c=i[a];c.length>1024&&(c=c.slice(0,1024));let u=sc.test(c)?c.replace(sc,"$1"):c;if(!u.includes("Error: ")){for(let p of t){let f=p(u);if(f){s.pus... ... L13: `)}`)}function ou(e){if(!g)return;let{description:t="< unknown name >",op:r="< unknown op >"}=w(e),{spanId:n}=e.spanContext(),s=$(e)===e,i=`[Tracing] Finishing "${r}" ${s?"root ":"... L14: Reason: ${d}`))})}_process(t,r){this._numProcessing++,this._promiseBuffer.add(t).then(n=>(this._numProcessing--,n),n=>(this._numProcessing--,n===Kr&&th
Low
Weak Crypto

Package source references weak cryptographic algorithms.

node/index.mjsView on unpkg · L1
core/index.cjsView file
1"use strict";var Mi=Object.create;var ht=Object.defineProperty;var Ui=Object.getOwnPropertyDescriptor;var zi=Object.getOwnPropertyNames;var qi=Object.getPrototypeOf,Ji=Object.proto... L2: `),n;for(;(n=ta.exec(r))!=null;){let o=n[1],i=n[2]||"";i=i.trim();let a=i[0];i=i.replace(/^(['"`])([\s\S]*)\1$/gm,"$2"),a==='"'&&(i=i.replace(/\\n/g,` L3: `),i=i.replace(/\\r/g,"\r")),t[o]=i}return t}var ta=/(?:^|^)\s*(?:export\s+)?([\w.-]+)(?:\s*=\s*?|:\s+?)(\s*'(?:\\'|[^'])*'|\s*"(?:\\"|[^"])*"|\s*`(?:\\`|[^`])*`|[^#\r\n]+)?\s*(?:#... L4: ... L21: `,r+=");";let n=zt(e,r);return An(e,n,t)}function An(e,t,r){if(!e.ts.isExpressionStatement(t))return t;let n=t.expression;if(!e.ts.isCallExpression(n))return t;let o=[...n.argument... L22: `,getSourceFile:s=>{if(s=e.normalize(s),s.includes("node_modules")){let c=wt.get(s);if(c)return T(e,c.content)}let u;try{u=e.readFileSync(s)}catch{console.error(`Could not read: ${... L23: `).map(n=>n.trimEnd());e="";let r=!1;for(let n=t.length-1;n>=0;n--){let o=t[n];!r&&o.startsWith("import ")&&(r=!0,o=o+` ... L390: ]; L391: `}async function Dt(e){let t=await Et(e,e.getRepoRootDir());if(t&&typeof t=="object"){let r=new Set(Object.keys({...t.dependencies,...t.de
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

core/index.cjsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> core/index.cjs L1: "use strict";var Mi=Object.create;var ht=Object.defineProperty;var Ui=Object.getOwnPropertyDescriptor;var zi=Object.getOwnPropertyNames;var qi=Object.getPrototypeOf,Ji=Object.proto... L2: `),n;for(;(n=ta.exec(r))!=null;){let o=n[1],i=n[2]||"";i=i.trim();let a=i[0];i=i.replace(/^(['"`])([\s\S]*)\1$/gm,"$2"),a==='"'&&(i=i.replace(/\\n/g,` L3: `),i=i.replace(/\\r/g,"\r")),t[o]=i}return t}var ta=/(?:^|^)\s*(?:export\s+)?([\w.-]+)(?:\s*=\s*?|:\s+?)(\s*'(?:\\'|[^'])*'|\s*"(?:\\"|[^"])*"|\s*`(?:\\`|[^`])*`|[^#\r\n]+)?\s*(?:#... L4: ... L21: `,r+=");";let n=zt(e,r);return An(e,n,t)}function An(e,t,r){if(!e.ts.isExpressionStatement(t))return t;let n=t.expression;if(!e.ts.isCallExpression(n))return t;let o=[...n.argument... L22: `,getSourceFile:s=>{if(s=e.normalize(s),s.includes("node_modules")){let c=wt.get(s);if(c)return T(e,c.content)}let u;try{u=e.readFileSync(s)}catch{console.error(`Could not read: ${... L23: `).map(n=>n.trimEnd());e="";let r=!1;for(let n=t.length-1;n>=0;n--){let o=t[n];!r&&o.startsWith("import ")&&(r=!0,o=o+` ... L390: ]; L391: `}async function Dt(e){let t=await Et(e,e.getRepoRootDir());if(t&&typeof t=="obj…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

core/index.cjsView on unpkg · L1
cli/index.cjsView file
context = s("PowerShell")||e.includes("pwsh")?(n=".ps1",i=t.replace(/2>\/dev\/null \|\| true/g,"2>$null; if ($?) {}")):(n=".bat",i=`@echo off\n${t.replace(/2>\/dev\/null \|\| true/g,"2>nul || cd .")}`);else{let s=e.includes("zsh"),a=e.includes("bash"),A=e.includes("sh"),c=e.includes("fish"),u=s?"#!/bin/zsh":a?"#!/bin/bash":c?"#!/bin/fish":A?"#!/bin/sh":"#!/bin/bash";c?(n=".fish",i=`${u}\n${t}`):s?(n=".sh",i=`${u}\nsource ~/.zshrc 2>/dev/null || true\nset -e\n${t}`):(n=".sh",i=`${u}\nset -e\n${t}`)}let o=E2(n);try{return nv.default.writeFileSync(o,i,{mode:493}),o}catch(s){throw new Error(`Failed to create temporary script: ${s}`,{cause:s})}},E2=t=>{let e=x$e(),r=Date.now(),n=Math.random().toString(36).substring(2,8);return I2.default.join(e,`builder_temp_${r}_${n}${t}`)},B2=(t,e,r=!0)=>{if(F$e(t)){let n=R$e(t,e);return e.includes("cmd")||e.includes("CMD")?["/c",n]:e.includes("powershell")||e.includes("PowerShell")||e.includes("pwsh")?["-ExecutionPolicy","Bypass","-File",n]:e.includes("bash")||e.includes("zsh")?r?["-l",n]:[n]:[n]}return e.incl
Critical
Encrypted Payload Temp Execution

Source decrypts an embedded payload, writes it to disk, and executes it through a child process.

cli/index.cjsView on unpkg
vendors/linux-arm64/rgView file
path = vendors/linux-arm64/rg kind = native_binary sizeBytes = 5372896 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

vendors/linux-arm64/rgView on unpkg
vendors/linux-arm64/complete/rg.fishView file
path = vendors/linux-arm64/complete/rg.fish kind = build_helper sizeBytes = 14253 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

vendors/linux-arm64/complete/rg.fishView on unpkg
server/index.cjsView file
path = server/index.cjs kind = oversized_source_file sizeBytes = 2712944 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

server/index.cjsView on unpkg

Findings

3 Critical5 High8 Medium4 Low
CriticalCredential Exfiltrationcore/index.cjs
CriticalEncrypted Payload Temp Executioncli/index.cjs
CriticalTrigger Reachable Dangerous Capabilitycore/index.cjs
HighChild Processnode/index.cjs
HighShell
HighSame File Env Network Executionnode/index.cjs
HighCommand Output Exfiltrationnode/index.cjs
HighOversized Source Fileserver/index.cjs
MediumSecret Patternnode/index.cjs
MediumDynamic Requirenext/index.cjs
MediumEnvironment Vars
MediumProtestware
MediumShips Native Binaryvendors/linux-arm64/rg
MediumShips Build Helpervendors/linux-arm64/complete/rg.fish
MediumStructural Risk Force Deep Review
MediumSecret Patternnode/index.mjs
LowWeak Cryptonode/index.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings