registry  /  @decocms/blocks-cli  /  7.5.0

@decocms/blocks-cli@7.5.0

Deco codegen (generate-blocks, generate-schema, generate-invoke) and Fresh-to-TanStack migration tooling

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 96 file(s), 970 KB of source, external domains: analytics.tiktok.com, api.cloudflare.com, bat.bing.com, cdn.example.com, connect.facebook.net, deco-otel-ingest.deco-cx.workers.dev, deco-otel-ingest.example, decoims.com, github.com, graph.instagram.com, ingest.example, ingest.example.com, s.lilstts.com, script.hotjar.com, scripts.clarity.ms, sp.vtex.com, static.hotjar.com, storage.googleapis.com, tailwindcss.com, www.clarity.ms, www.googletagmanager.com

Source & flagged code

4 flagged · loading source
scripts/audit-observability-config.test.tsView file
309} { L310: const { spawnSync } = require("node:child_process") as typeof import( L311: "node:child_process"
High
Child Process

Package source references child process execution.

scripts/audit-observability-config.test.tsView on unpkg · L309
309} { L310: const { spawnSync } = require("node:child_process") as typeof import( L311: "node:child_process"
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/audit-observability-config.test.tsView on unpkg · L309
scripts/sync-blocks-to-kv.tsView file
55purgeUrl: val("--purge-url", ""), L56: purgeToken: val("--purge-token", process.env.PURGE_TOKEN ?? ""), L57: }; ... L60: function gitChangedFiles(since: string, blocksDir: string): string[] { L61: const out = execSync(`git diff --name-only ${since} HEAD`, { encoding: "utf-8" }); L62: return changedBlockFiles(out, blocksDir); ... L65: async function purgeCache(origin: string, token: string, paths: string[]): Promise<void> { L66: const res = await fetch(new URL("/_cache/purge", origin).toString(), { L67: method: "POST",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

scripts/sync-blocks-to-kv.tsView on unpkg · L55
scripts/migrate-to-cf-observability.test.tsView file
14*/ L15: import * as cp from "node:child_process"; L16: import * as fs from "node:fs"; ... L23: function runCodemod(args: string[]): { stdout: string; stderr: string; code: number } { L24: const r = cp.spawnSync("npx", ["tsx", SCRIPT, ...args], { encoding: "utf8" }); L25: return { stdout: r.stdout || "", stderr: r.stderr || "", code: r.status ?? 0 };
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/migrate-to-cf-observability.test.tsView on unpkg · L14

Findings

4 High4 Medium5 Low
HighChild Processscripts/audit-observability-config.test.ts
HighShell
HighSame File Env Network Executionscripts/sync-blocks-to-kv.ts
HighRuntime Package Installscripts/migrate-to-cf-observability.test.ts
MediumDynamic Requirescripts/audit-observability-config.test.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License