registry  /  @donotdev/cli  /  0.1.45

@donotdev/cli@0.1.45

⚠ Under review

Command-line interface for DoNotDev Framework

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 19 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 8.96 MB of source, external domains: api.supabase.com, api.vercel.com, bun.sh, cli.github.com, cloud.google.com, console.cloud.google.com, console.firebase.google.com, developer.apple.com, developer.mozilla.org, example.com, feross.org, firebase.google.com, git-scm.com, github.com, googleapis.dev, identitytoolkit.googleapis.com, jimmy.warting.se, nodejs.org, picsum.photos, registry.npmjs.org, securetoken.google.com, sentry.io, session.firebase.google.com, supabase.com, vercel.com, www.apache.org, www.googleapis.com, yarnpkg.com, your-project.supabase.co
Oversized source lightweight scan
dist/bin/commands/db.js6.35 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsapi.supabase.comcloud.google.comfeross.orgfirebase.google.comgithub.comjimmy.warting.sesupabase.comwww.apache.org
dist/bin/commands/make-admin.js3.16 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsHighEntropyStringsUrlStringscloud.google.comfirebase.google.comidentitytoolkit.googleapis.comsecuretoken.google.comsession.firebase.google.comwww.googleapis.com
dist/bin/commands/seed.js6.35 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsapi.supabase.comcloud.google.comdeveloper.mozilla.orgexample.comfeross.orgfirebase.google.comgithub.comgoogleapis.devjimmy.warting.sepicsum.photossupabase.comwww.apache.org

Source & flagged code

12 flagged · loading source
dist/bin/commands/wai.jsView file
7458try { L7459: const { execSync } = await import("node:child_process"); L7460: const platform = process.platform;
High
Child Process

Package source references child process execution.

dist/bin/commands/wai.jsView on unpkg · L7458
dist/bin/commands/preview.jsView file
8489if (useShell) { L8490: return spawn(command, args, { ...rest, shell: true }); L8491: }
High
Shell

Package source references shell execution.

dist/bin/commands/preview.jsView on unpkg · L8489
dist/bin/commands/setup.jsView file
235function wrapAnsi(string, columns, options) { L236: return String(string).normalize().split(CRLF_OR_LF).map((line) => exec(line, columns, options)).join("\n"); L237: } ... L504: import { styleText as y } from "node:util"; L505: import { stdout as S, stdin as $ } from "node:process"; L506: import * as _ from "node:readline"; ... L539: if (V([l, a, h], "cancel")) { L540: s && t2.write(import_sisteransi.cursor.show), process.exit(0); L541: return; ... L569: u = { actions: new Set(E), aliases: /* @__PURE__ */ new Map([["k", "up"], ["j", "down"], ["h", "left"], ["l", "right"], ["", "cancel"], ["escape", "cancel"]]), messages: { cancel:... L570: Y = globalThis.process.platform.startsWith("win"); L571: C = /* @__PURE__ */ Symbol("clack:cancel");
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/bin/commands/setup.jsView on unpkg · L235
Trigger-reachable chain: manifest.bin -> dist/bin/dndev.js -> dist/bin/commands/setup.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/bin/commands/setup.jsView on unpkg
10057try { L10058: const value = new Function( L10059: ...Object.keys(mergedContext),
High
Eval

Package source references dynamic code evaluation.

dist/bin/commands/setup.jsView on unpkg · L10057
dist/bin/donotdev.jsView file
21"use strict"; L22: require2 = createRequire(import.meta.url); L23: __filename = fileURLToPath(import.meta.url);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin/donotdev.jsView on unpkg · L21
dist/bin/commands/deploy.jsView file
19380}); L19381: readFromStdout(stdout); L19382: afterClose(null); ... L19390: let worker = new worker_threads2.Worker(__filename, { L19391: workerData: { workerPort, defaultWD, esbuildVersion: "0.27.7" }, L19392: transferList: [workerPort], L19393: // From node's documentation: https://nodejs.org/api/worker_threads.html L19394: // L19395: // Take care when launching worker threads from preload scripts (scripts loaded L19396: // and run using the `-r` command line flag). Unless the `execArgv` option is L19397: // explicitly set, new Worker threads automatically inherit the command line flags
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/bin/commands/deploy.jsView on unpkg · L19380
235function wrapAnsi(string, columns, options) { L236: return String(string).normalize().split(CRLF_OR_LF).map((line) => exec(line, columns, options)).join("\n"); L237: } ... L504: import { styleText as y } from "node:util"; L505: import { stdout as S, stdin as $ } from "node:process"; L506: import * as _ from "node:readline"; ... L539: if (V([l, a, h], "cancel")) { L540: s && t2.write(import_sisteransi.cursor.show), process.exit(0); L541: return; ... L569: u = { actions: new Set(E), aliases: /* @__PURE__ */ new Map([["k", "up"], ["j", "down"], ["h", "left"], ["l", "right"], ["", "cancel"], ["escape", "cancel"]]), messages: { cancel:... L570: Y = globalThis.process.platform.startsWith("win"); L571: C = /* @__PURE__ */ Symbol("clack:cancel");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/bin/commands/deploy.jsView on unpkg · L235
dist/bin/commands/build.jsView file
235Cross-file remote execution chain: dist/bin/commands/build.js spawns dist/index.js; helper contains network access plus dynamic code execution. L235: function wrapAnsi(string, columns, options) { L236: return String(string).normalize().split(CRLF_OR_LF).map((line) => exec(line, columns, options)).join("\n"); L237: } ... L504: import { styleText as y } from "node:util"; L505: import { stdout as S, stdin as $ } from "node:process"; L506: import * as _ from "node:readline"; ... L539: if (V([l, a, h], "cancel")) { L540: s && t2.write(import_sisteransi.cursor.show), process.exit(0); L541: return; ... L569: u = { actions: new Set(E), aliases: /* @__PURE__ */ new Map([["k", "up"], ["j", "down"], ["h", "left"], ["l", "right"], ["", "cancel"], ["escape", "cancel"]]), messages: { cancel:... L570: Y = globalThis.process.platform.startsWith("win"); L571: C = /* @__PURE__ */ Symbol("clack:cancel");
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/commands/build.jsView on unpkg · L235
templates/app-demo/public/icon-192x192.png.exampleView file
path = templates/app-demo/public/icon-192x192.png.example kind = high_entropy_blob sizeBytes = 7210 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

templates/app-demo/public/icon-192x192.png.exampleView on unpkg
dist/bin/commands/db.jsView file
path = dist/bin/commands/db.js kind = oversized_source_file sizeBytes = 6654726 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/bin/commands/db.jsView on unpkg
path = dist/bin/commands/db.js kind = oversized_cli_entrypoint sizeBytes = 6654726 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/bin/commands/db.jsView on unpkg

Findings

2 Critical7 High5 Medium5 Low
CriticalRemote Asset Decode Executedist/bin/commands/setup.js
CriticalTrigger Reachable Dangerous Capabilitydist/bin/commands/setup.js
HighChild Processdist/bin/commands/wai.js
HighShelldist/bin/commands/preview.js
HighEvaldist/bin/commands/setup.js
HighCommand Output Exfiltrationdist/bin/commands/deploy.js
HighCross File Remote Execution Contextdist/bin/commands/build.js
HighShips High Entropy Blobtemplates/app-demo/public/icon-192x192.png.example
HighOversized Source Filedist/bin/commands/db.js
MediumDynamic Requiredist/bin/donotdev.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/bin/commands/db.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/bin/commands/deploy.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings