registry  /  @decocms/tanstack  /  7.6.0

@decocms/tanstack@7.6.0

Deco framework binding for TanStack Start + Cloudflare Workers

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 37 file(s), 275 KB of source, external domains: admin.deco.cx, api.example.com, deco.cx, example.com, o.com

Source & flagged code

3 flagged · loading source
src/vite/plugin.jsView file
33*/ L34: import { exec, execFileSync } from "node:child_process"; L35: import { existsSync, readFileSync, writeFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

src/vite/plugin.jsView on unpkg · L33
419); L420: const cmd = `npx tsx ${JSON.stringify(scriptPath)} --site ${schemaSiteName}`; L421: exec(cmd, { cwd }, (err) => { L422: schemaInFlight = false;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/vite/plugin.jsView on unpkg · L419
src/sdk/workerEntry.tsView file
472if (data.args && data.args.script) { L473: try { eval(data.args.script); } catch(e) { console.error("[deco] inject error:", e); } L474: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/sdk/workerEntry.tsView on unpkg · L472

Findings

3 High3 Medium6 Low
HighChild Processsrc/vite/plugin.js
HighShell
HighRuntime Package Installsrc/vite/plugin.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalsrc/sdk/workerEntry.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License