registry  /  @convertr/cli  /  2.0.6

@convertr/cli@2.0.6

⚠ Under review

Convertr CLI — theme development tool

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 15 file(s), 46.7 KB of source, external domains: api-gateway.convertr.app.br, registry.npmjs.org, storage-service.convertr.app.br

Source & flagged code

5 flagged · loading source
lib/git.jsView file
2import os from 'os' L3: import { execSync } from 'child_process' L4: import { dirname, join } from 'path'
High
Child Process

Package source references child process execution.

lib/git.jsView on unpkg · L2
lib/assets.jsView file
3import crypto from 'crypto' L4: import axios from 'axios' L5: import FormData from 'form-data' L6: ... L22: if (!fs.existsSync(manifestPath)) return {} L23: return JSON.parse(fs.readFileSync(manifestPath, 'utf8')) L24: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/assets.jsView on unpkg · L3
commands/theme.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @convertr/cli@2.0.2 matchedIdentity = npm:QGNvbnZlcnRyL2NsaQ:2.0.2 similarity = 0.636 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

commands/theme.jsView on unpkg
96console.log(chalk.yellow('⟳ Instalando dependências do storefront...')) L97: execSync('npm install', { cwd: storefrontDir, stdio: 'inherit' }) L98: } L99: L100: console.log(chalk.magenta(`▶ Storefront rodando em http://localhost:${opts.port}`)) L101: ... L108: env: { L109: ...process.env, L110: PORT: opts.port,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

commands/theme.jsView on unpkg · L96
commands/auth.jsView file
55const open = process.platform === 'darwin' ? 'open' : 'xdg-open' L56: execSync(`${open} "${device.verification_uri_complete}"`) L57: } catch (_) {} ... L62: L63: process.stdout.write(chalk.gray('Aguardando autenticação no browser')) L64: ... L69: try { L70: const { data } = await axios.post(`https://${AUTH0_DOMAIN}/oauth/token`, { L71: client_id: AUTH0_CLIENT_ID,
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

commands/auth.jsView on unpkg · L55

Findings

1 Critical4 High2 Medium5 Low
CriticalPrevious Version Dangerous Deltacommands/theme.js
HighChild Processlib/git.js
HighShell
HighSame File Env Network Executioncommands/theme.js
HighCommand Output Exfiltrationcommands/auth.js
MediumNetwork
MediumEnvironment Vars
LowWeak Cryptolib/assets.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License