registry  /  @claude-sessions/web  /  0.5.1

@claude-sessions/web@0.5.1

⚠ Under review

Web UI for Claude Code session management

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 672 file(s), 20.0 MB of source, external domains: datatracker.ietf.org, github.com, html.spec.whatwg.org, jh3y.medium.com, my.site, svelte.dev, www.w3.org

Source & flagged code

8 flagged · loading source
dist/cli.jsView file
4import { Command, InvalidArgumentError } from "commander"; L5: import { spawn } from "child_process"; L6: import { createRequire } from "module";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L4
4Cross-file remote execution chain: dist/cli.js spawns build/server/index.js; helper contains network access plus dynamic code execution. L4: import { Command, InvalidArgumentError } from "commander"; L5: import { spawn } from "child_process"; L6: import { createRequire } from "module"; ... L8: import path from "path"; L9: var __dirname = path.dirname(fileURLToPath(import.meta.url)); L10: var serverPath = path.join(__dirname, "..", "build", "index.js"); L11: var require2 = createRequire(import.meta.url); L12: var { version } = require2("../package.json"); L13: function parsePort(value) { ... L22: var serverEnv = { L23: ...process.env, L24: PORT: String(opts.port)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L4
build/server/chunks/_server.ts-CkPMRA8N.jsView file
7L8: const execAsync = promisify(exec); L9: function expandHomePath(filePath) {
High
Shell

Package source references shell execution.

build/server/chunks/_server.ts-CkPMRA8N.jsView on unpkg · L7
build/client/_app/immutable/chunks/ul8Z6fXD.jsView file
27${r.join(` L28: `)}`),super(o),this._tag=t,this.traces=r,this[Dm]=hM,this.name=s,this.stack=a}pipe(){return Be(this,arguments)}toString(){return this.stack}[zt](){return this.stack}}class dM exten... L29: `,e.forest),_1=(e,t)=>{let n="";const r=t.length;let i;for(let s=0;s<r;s++){i=t[s];const o=s===r-1;n+=e+(o?"└":"├")+"─ "+i.value,n+=_1(e+(r>1&&!o?"│ ":" "),i.forest)}return n},O...
Low
Eval

Package source references a known benign dynamic code generation pattern.

build/client/_app/immutable/chunks/ul8Z6fXD.jsView on unpkg · L27
build/server/index.jsView file
7/** L8: * @template {{ tracing: { enabled: boolean, root: import('@opentelemetry/api').Span, current: import('@opentelemetry/api').Span } }} T L9: * @param {T} event_like
Medium
Dynamic Require

Package source references dynamic require/import behavior.

build/server/index.jsView on unpkg · L7
build/client/_app/immutable/nodes/1.DpNUBFYP.js.gzView file
path = build/client/_app/immutable/nodes/1.DpNUBFYP.js.gz kind = compressed_blob sizeBytes = 259 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

build/client/_app/immutable/nodes/1.DpNUBFYP.js.gzView on unpkg
build/client/_app/immutable/nodes/0.lQuHUJTx.js.brView file
path = build/client/_app/immutable/nodes/0.lQuHUJTx.js.br kind = high_entropy_blob sizeBytes = 5085 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

build/client/_app/immutable/nodes/0.lQuHUJTx.js.brView on unpkg
build/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @claude-sessions/web@0.5.2 matchedIdentity = npm:QGNsYXVkZS1zZXNzaW9ucy93ZWI:0.5.2 similarity = 0.675 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

build/index.jsView on unpkg

Findings

1 Critical4 High6 Medium7 Low
CriticalPrevious Version Dangerous Deltabuild/index.js
HighChild Processdist/cli.js
HighShellbuild/server/chunks/_server.ts-CkPMRA8N.js
HighCross File Remote Execution Contextdist/cli.js
HighShips High Entropy Blobbuild/client/_app/immutable/nodes/0.lQuHUJTx.js.br
MediumDynamic Requirebuild/server/index.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Compressed Blobbuild/client/_app/immutable/nodes/1.DpNUBFYP.js.gz
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalbuild/client/_app/immutable/chunks/ul8Z6fXD.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings