registry  /  @camstack/addon-pipeline  /  1.1.30

@camstack/addon-pipeline@1.1.30

⚠ Under review

CamStack Pipeline bundle — runner, detection, motion, decoders, audio + stream broker. Multi-entry npm package shipping 7 addons under a single bundle.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 20 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
Manifest
WildcardDependency
scanned 57 file(s), 8.74 MB of source, external domains: github.com, huggingface.co, json-schema.org, konvajs.github.io, konvajs.org, module-federation.io, react.dev, www.w3.org

Source & flagged code

9 flagged · loading source
dist/audio-codec-ffmpeg/index.jsView file
6let node_crypto = require("node:crypto"); L7: let node_child_process = require("node:child_process"); L8: //#region src/audio-codec-ffmpeg/ffmpeg-audio-process.ts
High
Child Process

Package source references child process execution.

dist/audio-codec-ffmpeg/index.jsView on unpkg · L6
dist/dist-Cwc0TUQr.jsView file
138try { L139: new Function(""); L140: return true;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/dist-Cwc0TUQr.jsView on unpkg · L138
dist/constants-CAqYVigN.jsView file
1let node_fs = require("node:fs"); L2: let node_path = require("node:path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/constants-CAqYVigN.jsView on unpkg · L1
dist/stream-broker/index.mjsView file
14import { networkInterfaces, tmpdir } from "node:os"; L15: import { spawn } from "node:child_process"; L16: import { lookup } from "node:dns/promises"; L17: import { pathToFileURL } from "node:url"; ... L49: msg: typeof o.msg === "string" ? o.msg : "", L50: data: o.data L51: }; ... L74: try { L75: const parsed = JSON.parse(Buffer.concat(chunks).toString("utf8")); L76: const obj = parsed !== null && typeof parsed === "object" ? parsed : null; ... L631: * Spawns `ffmpeg ... -f mpegts pipe:1` (argv supplied by the caller) and L632: * demuxes ffmpeg's MPEG-TS stdout back into per-access-unit `EncodedPacket`s
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/stream-broker/index.mjsView on unpkg · L14
dist/detection-pipeline/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @camstack/addon-pipeline@1.1.18 matchedIdentity = npm:[redacted]:1.1.18 similarity = 0.439 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/detection-pipeline/index.jsView on unpkg
14Cross-file remote execution chain: dist/detection-pipeline/index.js spawns dist/dist-Cwc0TUQr.js; helper contains network access plus dynamic code execution. L14: node_os = require_model_download_service_C_IHWnXx.__toESM(node_os); L15: let node_child_process = require("node:child_process"); L16: let sharp = require("sharp"); ... L67: return { L68: platform: toKnownPlatform(process.platform), L69: arch: toKnownArch(process.arch), ... L355: async function terminateChild(proc, graceMs) { L356: if (proc.exitCode !== null || proc.signalCode !== null) return; L357: try { L358: proc.stdin?.end(); L359: } catch {} ... L447: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/detection-pipeline/index.jsView on unpkg · L14
swift/audio-analyzer/apple-sound-classifierView file
path = swift/audio-analyzer/apple-sound-classifier kind = native_binary sizeBytes = 92712 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

swift/audio-analyzer/apple-sound-classifierView on unpkg
wasm/motion.wasmView file
path = wasm/motion.wasm kind = wasm_module sizeBytes = 2342 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

wasm/motion.wasmView on unpkg
python/test_inference_pool_device_selection.pyView file
path = python/test_inference_pool_device_selection.py kind = build_helper sizeBytes = 8796 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

python/test_inference_pool_device_selection.pyView on unpkg

Findings

1 Critical3 High9 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/detection-pipeline/index.js
HighChild Processdist/audio-codec-ffmpeg/index.js
HighShell
HighCross File Remote Execution Contextdist/detection-pipeline/index.js
MediumDynamic Requiredist/constants-CAqYVigN.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Native Binaryswift/audio-analyzer/apple-sound-classifier
MediumShips Wasm Modulewasm/motion.wasm
MediumShips Build Helperpython/test_inference_pool_device_selection.py
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowEvaldist/dist-Cwc0TUQr.js
LowWeak Cryptodist/stream-broker/index.mjs
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings