registry  /  @diagrammo/dgmo  /  0.44.1

@diagrammo/dgmo@0.44.1

DGMO diagram markup language — parser, renderer, and color system

Static Scan Results

scanned 4m ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 285 file(s), 10.3 MB of source, external domains: online.diagrammo.app, unpkg.com, www.w3.org
Oversized source lightweight scan
dist/advanced.cjs2.50 MB file, sampled 256 KB
ChildProcessDynamicRequireHighEntropyStringsUrlStringsonline.diagrammo.appwww.w3.org
dist/advanced.js2.48 MB file, sampled 256 KB
ChildProcessDynamicRequireHighEntropyStringsUrlStringsonline.diagrammo.appwww.w3.org
dist/auto.cjs2.46 MB file, sampled 256 KB
ChildProcessDynamicRequireHighEntropyStringsUrlStringsonline.diagrammo.appwww.w3.org
dist/auto.mjs2.46 MB file, sampled 256 KB
ChildProcessDynamicRequireHighEntropyStringsUrlStringsonline.diagrammo.appwww.w3.org
dist/element.cjs2.46 MB file, sampled 256 KB
NetworkChildProcessDynamicRequireHighEntropyStringsUrlStringsonline.diagrammo.appunpkg.comwww.w3.org
dist/element.mjs2.46 MB file, sampled 256 KB
NetworkChildProcessDynamicRequireHighEntropyStringsUrlStringsonline.diagrammo.appunpkg.comwww.w3.org
dist/index.cjs2.47 MB file, sampled 256 KB
ChildProcessDynamicRequireHighEntropyStringsUrlStringsonline.diagrammo.appwww.w3.org
dist/index.js2.46 MB file, sampled 256 KB
ChildProcessDynamicRequireHighEntropyStringsUrlStringsonline.diagrammo.appwww.w3.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "console.log('\n💡 Claude Code user? Run: dgmo install claude-code\n')"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "console.log('\n💡 Claude Code user? Run: dgmo install claude-code\n')"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/element.jsView file
310`).map(o=>o.startsWith("- ")?"\u2022 "+o.slice(2):o);return qo(r,e,o=>_t(o,n))}function y4(t,e,n){if(_t(t,n)<=e)return[t];if(t.includes(" "))return lL(t.split(" "),e,n);if(/[-_:/]/... L311: `),type:"chord"}}return null}async function L4(t,e,n,r,o){let a=o?.exportMode??!1,{parseDgmoChartType:i}=await Promise.resolve().then(()=>(Rh(),JA)),s=i(t),l=dL(t,s,n),c=l?.content... L312: `)&&n.push([])}let r=!1;for(let o of n){let a=o.filter(u=>t[u.idx].text.trim().length>0);if(a.length===0)continue;let i=a[0];if(gut.has(i.nodeName))continue;if(i.nodeName==="ChartT...
High
Child Process

Package source references child process execution.

dist/element.jsView on unpkg · L310
296color: ${o.textMuted}; L297: `,M.innerHTML=Aot(g.description,o),E.appendChild(M)}E.addEventListener("mouseenter",()=>{Xf(i,v),i.querySelectorAll("svg [data-line-number]").forEach(C=>{if(C.getAttribute("data-li... L298: Georgia US-CA heat: 2`},UNKNOWN_AIRPORT_CODE:{code:"E_MAP_UNKNOWN_AIRPORT_CODE",severity:"error",chartType:"map",title:"Unknown airport code",message:t=>`Unknown airport code "${t.... ... L310: `).map(o=>o.startsWith("- ")?"\u2022 "+o.slice(2):o);return qo(r,e,o=>_t(o,n))}function y4(t,e,n){if(_t(t,n)<=e)return[t];if(t.includes(" "))return lL(t.split(" "),e,n);if(/[-_:/]/... L311: `),type:"chord"}}return null}async function L4(t,e,n,r,o){let a=o?.exportMode??!1,{parseDgmoChartType:i}=await Promise.resolve().then(()=>(Rh(),JA)),s=i(t),l=dL(t,s,n),c=l?.content... L312: `)&&n.push([])}let r=!1;for(let o of n){let a=o.filter(u=>t[u.idx].text.trim().length>0);if(a.length===0)continue;let i=a[0];if(gut.has(i.nodeName))continue;if(i.nodeName==="ChartT...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/element.jsView on unpkg · L296
307California heat: 9`},REGION_AMBIGUOUS:{code:"W_MAP_REGION_AMBIGUOUS",severity:"warning",chartType:"map",title:"Region is both a country and a US state",message:t=>`"${t.name??""}" ... L308: Georgia heat: 2`}},l2t=Object.values(ia)});function Lv(t){return t}var Nv=st(()=>{"use strict"});function Ry(t){if(t==null)return Lv;var e,n,r=t.scale[0],o=t.scale[1],a=t.translate... L309: `).flatMap(g=>Tn(g,o,n,{hardBreak:!0})):[],u=[];if(e){let g=(v,y)=>{for(let b of v){let E=uct(b.message);u.push({severity:y,sourceLine:b.line,text:E,lines:Tn(E,r-2,n,{hardBreak:!0}...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/element.jsView on unpkg · L307
209`);for(let n=0;n<e.length;n++){let r=e[n].trim();if(!r||r.startsWith("#")||r.startsWith("//"))continue;let o=r.match(/^(\w[\w-]*)\s*:\s*(.*)$/);if(!o)return null;let a=o[1].toLower... L210: `).filter(r=>r.trim()&&!r.trim().startsWith("#")&&!r.trim().startsWith("//")).length<=1?[Pt(1,"No content after chart type declaration.","warning")]:[]}var m9,h9,g9,x9,eE,QA,w9,jA,... L211: `)){let n=e.trim();if(!(!n||n.startsWith("//")))return n.split(/\s+/)[0].toLowerCase()}return""}async function iE(t,e,n,r){let o=await Yn(e,n),a=e==="dark",i=r?.width&&r.width>0?Ma...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/element.jsView on unpkg · L209
dist/cli.cjsView file
374`):process.stdout.write(s.url+` L375: `)}var Jdt={command:"dgmo",args:["mcp"]},Gb=["claude-code","codex","claude-desktop","cursor","windsurf","copilot"];function tut(t){let e=process.platform==="win32",n=(a,i)=>(0,ll.s... L376: `,`MCP server \u2192 ${e}`)}function nut(){let t=[];return(0,Pn.existsSync)((0,nn.join)((0,No.homedir)(),".claude"))&&t.push("claude-code"),((0,Pn.existsSync)((0,nn.join)((0,No.hom...
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.cjsView on unpkg · L374
dist/advanced.cjsView file
path = dist/advanced.cjs kind = oversized_source_file sizeBytes = 2620543 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/advanced.cjsView on unpkg

Findings

6 High5 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/element.js
HighShell
HighSame File Env Network Executiondist/element.js
HighRuntime Package Installdist/cli.cjs
HighOversized Source Filedist/advanced.cjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/element.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/element.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings