registry  /  @camstack/addon-pipeline  /  1.1.26

@camstack/addon-pipeline@1.1.26

⚠ Under review

CamStack Pipeline bundle — runner, detection, motion, decoders, audio + stream broker. Multi-entry npm package shipping 7 addons under a single bundle.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 20 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
Manifest
WildcardDependency
scanned 45 file(s), 5.73 MB of source, external domains: github.com, huggingface.co, json-schema.org, konvajs.github.io, konvajs.org, module-federation.io, react.dev, www.w3.org

Source & flagged code

9 flagged · loading source
dist/audio-codec-ffmpeg/index.jsView file
6let node_crypto = require("node:crypto"); L7: let node_child_process = require("node:child_process"); L8: //#region src/audio-codec-ffmpeg/ffmpeg-audio-process.ts
High
Child Process

Package source references child process execution.

dist/audio-codec-ffmpeg/index.jsView on unpkg · L6
dist/dist-CgEP_0OL.mjsView file
138try { L139: new Function(""); L140: return true;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/dist-CgEP_0OL.mjsView on unpkg · L138
dist/frame-handle-plane-DtTRX_0n.jsView file
1const require_dist = require("./dist-DAIlCdAx.js"); L2: let node_crypto = require("node:crypto");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/frame-handle-plane-DtTRX_0n.jsView on unpkg · L1
dist/stream-broker/index.mjsView file
13import { networkInterfaces, tmpdir } from "node:os"; L14: import { spawn } from "node:child_process"; L15: import { lookup } from "node:dns/promises"; L16: import { pathToFileURL } from "node:url"; ... L48: msg: typeof o.msg === "string" ? o.msg : "", L49: data: o.data L50: }; ... L73: try { L74: const parsed = JSON.parse(Buffer.concat(chunks).toString("utf8")); L75: const obj = parsed !== null && typeof parsed === "object" ? parsed : null; ... L630: * Spawns `ffmpeg ... -f mpegts pipe:1` (argv supplied by the caller) and L631: * demuxes ffmpeg's MPEG-TS stdout back into per-access-unit `EncodedPacket`s
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/stream-broker/index.mjsView on unpkg · L13
dist/detection-pipeline/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @camstack/addon-pipeline@1.1.18 matchedIdentity = npm:[redacted]:1.1.18 similarity = 0.537 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/detection-pipeline/index.jsView on unpkg
12Cross-file remote execution chain: dist/detection-pipeline/index.js spawns dist/model-download-service-C-IHWnXx-DxM2DSns.js; helper contains network access plus dynamic code execution. L12: node_os = require_model_download_service_C_IHWnXx.__toESM(node_os); L13: let node_child_process = require("node:child_process"); L14: let sharp = require("sharp"); ... L157: return { L158: platform: toKnownPlatform(process.platform), L159: arch: toKnownArch(process.arch), ... L370: ] }); L371: if (!this.process.stdout || !this.process.stdin) throw new Error("PoolWorker: failed to create process pipes"); L372: this.process.stderr?.on("data", (chunk) => { ... L410: } L411: const configBuf = Buffer.from(JSON.stringify(config), "utf8"); L412: this.writeFrame(0, MSG_COMMAND, configBuf);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/detection-pipeline/index.jsView on unpkg · L12
swift/audio-analyzer/apple-sound-classifierView file
path = swift/audio-analyzer/apple-sound-classifier kind = native_binary sizeBytes = 92712 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

swift/audio-analyzer/apple-sound-classifierView on unpkg
wasm/motion.wasmView file
path = wasm/motion.wasm kind = wasm_module sizeBytes = 2342 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

wasm/motion.wasmView on unpkg
python/test_inference_pool_device_selection.pyView file
path = python/test_inference_pool_device_selection.py kind = build_helper sizeBytes = 8607 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

python/test_inference_pool_device_selection.pyView on unpkg

Findings

1 Critical3 High9 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/detection-pipeline/index.js
HighChild Processdist/audio-codec-ffmpeg/index.js
HighShell
HighCross File Remote Execution Contextdist/detection-pipeline/index.js
MediumDynamic Requiredist/frame-handle-plane-DtTRX_0n.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Native Binaryswift/audio-analyzer/apple-sound-classifier
MediumShips Wasm Modulewasm/motion.wasm
MediumShips Build Helperpython/test_inference_pool_device_selection.py
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowEvaldist/dist-CgEP_0OL.mjs
LowWeak Cryptodist/stream-broker/index.mjs
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings