registry  /  @cocos/ccbuild  /  2.3.20

@cocos/ccbuild@2.3.20

The next generation of build tool for Cocos engine.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a build library that reads an explicitly supplied engine project and writes build artifacts when its APIs are invoked.

Static reason
One or more suspicious static signals were detected.
Trigger
User invokes Cocos build, bundling, or StatsQuery APIs with an engine path/configuration.
Impact
Trusted project configuration can influence generated build output; no exfiltration, stealth persistence, or automatic install-time action is established.
Mechanism
Project-config expression evaluation and engine-module loading during explicit builds.
Rationale
Static source inspection shows package-aligned Cocos build tooling without lifecycle execution, network access, credential harvesting, or foreign control-surface mutation. The flagged dynamic primitives process engine configuration during explicit build operations and do not form a concrete malicious chain.
Evidence
package.jsonlib/src/index.jsmodules/stats-query/lib/index.jsmodules/build-engine/lib/engine-ts/engine-builder.jsmodules/dts-bundler/lib/index.js

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `modules/stats-query/lib/index.js` uses `new Function` for config expressions and path templates.
  • `modules/build-engine/lib/engine-ts/engine-builder.js` dynamically requires a resolved engine module at build time.
Evidence against
  • `package.json` has no lifecycle scripts or bin entrypoints.
  • `lib/src/index.js` only re-exports local build-tool modules.
  • No child-process, HTTP/S, socket, credential, AI-agent, or persistence API use was found in package JavaScript.
  • File writes in `modules/dts-bundler/lib/index.js` and build-engine target explicit build output paths.
  • Dynamic evaluation is tied to Cocos engine configuration and generated-module expressions, not install/import-time execution.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 42 file(s), 229 KB of source

Source & flagged code

3 flagged · loading source
modules/stats-query/lib/index.jsView file
253// eslint-disable-next-line @typescript-eslint/no-implied-eval,no-new-func L254: const result = new Function('context', `return ${test}`)(context); L255: // console.debug(`Eval "${test}" to ${result}`);
Low
Eval

Package source references a known benign dynamic code generation pattern.

modules/stats-query/lib/index.jsView on unpkg · L253
lib/src/index.jsView file
37exports.dtsBundler = exports.Modularize = exports.Bundler = exports.Transformer = exports.ConfigInterface = exports.StatsQuery = exports.buildEngine = void 0; L38: const Transformer = __importStar(require("../../modules/transformer/lib/index.js")); L39: exports.Transformer = Transformer;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/src/index.jsView on unpkg · L37
package.jsonView file
Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighNode Builtin Dependency Squatpackage.json
MediumDynamic Requirelib/src/index.js
MediumEnvironment Vars
LowEvalmodules/stats-query/lib/index.js
LowFilesystem
LowHigh Entropy Strings