registry  /  @caplets/core  /  0.34.1

@caplets/core@0.34.1

⚠ Under review

Core runtime library for Caplets Code Mode and progressive disclosure gateways.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 3.62 MB of source, external domains: 127.0.0.1, base-ui.com, caplets.dev, caplets.example.com, catalog.caplets.dev, cloud.caplets.dev, dashboard.invalid, developer.mozilla.org, eu-assets.i.posthog.com, eu.i.posthog.com, github.com, json-schema.org, posthog.com, raw.githubusercontent.com, react.dev, registry.npmjs.org, schemas.microsoft.com, sentry.io, us-assets.i.posthog.com, us.i.posthog.com, www.apple.com, www.cl.cam.ac.uk, www.w3.org, yandex.com
Oversized source lightweight scan
dist/user-settings-CwCgzN6X.js2.78 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringscloud.caplets.devschemas.microsoft.comwww.apple.com

Source & flagged code

9 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @caplets/core@0.34.0 matchedIdentity = npm:QGNhcGxldHMvY29yZQ:0.34.0 similarity = 0.920 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
18import path, { basename, dirname, isAbsolute, join, normalize, parse, posix, relative, resolve, sep, win32 } from "node:path"; L19: import childProcess, { execFile, execFileSync, spawn } from "node:child_process"; L20: import process$1, { stdin, stdout } from "node:process";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L18
4216if (process$1.versions?.electron) parseOptions.from = "electron"; L4217: const execArgv = process$1.execArgv ?? []; L4218: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) parseOptions.from = "eval";
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L4216
18Cross-file remote execution chain: dist/index.js spawns dist/schemas-eFQnKfiK.js; helper contains network access plus dynamic code execution. L18: import path, { basename, dirname, isAbsolute, join, normalize, parse, posix, relative, resolve, sep, win32 } from "node:path"; L19: import childProcess, { execFile, execFileSync, spawn } from "node:child_process"; L20: import process$1, { stdin, stdout } from "node:process"; L21: import { Readable, Writable } from "node:stream"; L22: import { STATUS_CODES, createServer } from "node:http"; L23: import { createHash, randomBytes, randomUUID, timingSafeEqual } from "node:crypto"; ... L182: else if (format === "cidr-v6") stringSchema = stringSchema.check(z.cidrv6()); L183: else if (format === "base64") stringSchema = stringSchema.check(z.base64()); L184: else if (format === "base64url") stringSchema = stringSchema.check(z.base64url()); ... L1938: this.writeErr = options.writeErr ?? ((value) => { L1939: process.stderr.write(value); L1940: });
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L18
18Detached bundled service listener: dist/index.js launches a Node helper and exposes a broad-bound HTTP listener. L18: import path, { basename, dirname, isAbsolute, join, normalize, parse, posix, relative, resolve, sep, win32 } from "node:path"; L19: import childProcess, { execFile, execFileSync, spawn } from "node:child_process"; L20: import process$1, { stdin, stdout } from "node:process"; L21: import { Readable, Writable } from "node:stream"; L22: import { STATUS_CODES, createServer } from "node:http"; L23: import { createHash, randomBytes, randomUUID, timingSafeEqual } from "node:crypto"; ... L182: else if (format === "cidr-v6") stringSchema = stringSchema.check(z.cidrv6()); L183: else if (format === "base64") stringSchema = stringSchema.check(z.base64()); L184: else if (format === "base64url") stringSchema = stringSchema.check(z.base64url()); ... L1938: this.writeErr = options.writeErr ?? ((value) => { L1939: process.stderr.write(value); L1940: });
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/index.jsView on unpkg · L18
20757patternName = generic_password severity = medium line = 20757 matchedText = password...ed]"
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L20757
2634* https://www.typescriptlang.org/docs/handbook/jsdoc-supported-types.html#import-types L2635: * @typedef { import("./argument.js").Argument } Argument L2636: * @typedef { import("./command.js").Command } Command
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2634
dist/schemas-eFQnKfiK.jsView file
194try { L195: new Function(""); L196: return true;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/schemas-eFQnKfiK.jsView on unpkg · L194
dist/user-settings-CwCgzN6X.jsView file
path = dist/user-settings-CwCgzN6X.js kind = oversized_source_file sizeBytes = 2919729 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/user-settings-CwCgzN6X.jsView on unpkg

Findings

1 Critical5 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
HighCross File Remote Execution Contextdist/index.js
HighSpawned Bundled Service Listenerdist/index.js
HighOversized Source Filedist/user-settings-CwCgzN6X.js
MediumSecret Patterndist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/schemas-eFQnKfiK.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings