Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNativeBindingsShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/ensure-tree-sitter-cli-binary.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgscripts/build.jsView file
3const {join} = require('path');
L4: const {spawnSync} = require('child_process');
L5: const {spawnTreeSitter, spawnTreeSitterAsync, root} = require('./tree-sitter-cli.cjs');
High
32// Rebuild native addon
L33: const rb = spawnSync('npx', ['node-gyp', 'rebuild'], {cwd: root, stdio: 'inherit'});
L34: if (rb.status !== 0) {
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
scripts/build.jsView on unpkg · L32binding.gypView file
•path = binding.gyp
kind = build_helper
sizeBytes = 792
magicHex = [redacted]
Medium
Findings
4 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/build.js
HighShell
HighRuntime Package Installscripts/build.js
MediumEnvironment Vars
MediumShips Build Helperbinding.gyp
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings