registry  /  @devflow-tools/cli  /  0.8.3

@devflow-tools/cli@0.8.3

⚠ Under review

DevFlow CLI — one command to initialize and manage DevFlow in any project.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 33 file(s), 93.7 KB of source, external domains: github.com

Source & flagged code

4 flagged · loading source
bin/devflow.cjsView file
8L9: var childProcess = require('child_process'); L10: var path = require('path');
High
Child Process

Package source references child process execution.

bin/devflow.cjsView on unpkg · L8
dist/commands/start.jsView file
77console.log(chalk.red(" Dashboard download failed")); L78: console.log(chalk.yellow(` You can still use the API at http://localhost:${opts.port}`)); L79: console.log(chalk.yellow(" To manually download the dashboard, visit: https://github.com/devflow-tools/devflow")); ... L86: if (existsSync(serverPath)) { L87: const child = spawn("node", [serverPath], { L88: env: { ...process.env, PORT: String(opts.dashboardPort) }, L89: cwd: dashboardPath,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/start.jsView on unpkg · L77
dist/commands/plugin-guide.jsView file
50try { L51: execSync(`npm install -g ${plugin}`, { stdio: "inherit" }); L52: console.log(`✓ ${plugin}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/plugin-guide.jsView on unpkg · L50
dist/commands/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @devflow-tools/cli@0.6.1 matchedIdentity = npm:QGRldmZsb3ctdG9vbHMvY2xp:0.6.1 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/server.jsView on unpkg

Findings

1 Critical4 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/commands/server.js
HighChild Processbin/devflow.cjs
HighShell
HighSame File Env Network Executiondist/commands/start.js
HighRuntime Package Installdist/commands/plugin-guide.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License