registry  /  @djangocfg/nextjs  /  2.1.464

@djangocfg/nextjs@2.1.464

⚠ Under review

Next.js server utilities: sitemap, health, OG images, contact forms, navigation, config

Static Scan Results

scanned 22h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 80 file(s), 334 KB of source, external domains: api.stripe.com, checkout.stripe.com, djangocfg.com, github.com, js.stripe.com, mcp.djangocfg.com, registry.npmjs.org, www.sitemaps.org

Source & flagged code

5 flagged · loading source
dist/config/index.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @djangocfg/nextjs@2.1.447 matchedIdentity = npm:QGRqYW5nb2NmZy9uZXh0anM:2.1.447 similarity = 0.937 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/config/index.mjsView on unpkg
478import chalk from "chalk"; L479: import { execSync, spawn } from "child_process"; L480: import Conf from "conf";
High
Child Process

Package source references child process execution.

dist/config/index.mjsView on unpkg · L478
654const proc = spawn(cmd, args, { L655: shell: true, L656: cwd: process.cwd(),
High
Shell

Package source references shell execution.

dist/config/index.mjsView on unpkg · L654
src/config/plugins/devStartup.tsView file
90private checkPWASetup(): void { L91: const fs = require('fs'); L92: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/config/plugins/devStartup.tsView on unpkg · L90
src/config/packages/updater.tsView file
337const command = pm === 'pnpm' L338: ? `pnpm add ${pkg.name}@latest` L339: : pm === 'yarn' ... L343: return new Promise((resolve) => { L344: const proc = spawn(command, { L345: shell: true,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/config/packages/updater.tsView on unpkg · L337

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/config/index.mjs
HighChild Processdist/config/index.mjs
HighShelldist/config/index.mjs
HighRuntime Package Installsrc/config/packages/updater.ts
MediumDynamic Requiresrc/config/plugins/devStartup.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings