Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcebin/temper.jsView file
9import { createRequire } from "node:module";
L10: import { spawnSync } from "node:child_process";
L11:
High
9Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: execution+network
L9: import { createRequire } from "node:module";
L10: import { spawnSync } from "node:child_process";
L11:
...
L19:
L20: const key = `${process.platform} ${process.arch}`;
L21: const entry = PLATFORMS[key];
...
L24: const supported = Object.keys(PLATFORMS).join(", ");
L25: process.stderr.write(
L26: `temper: no prebuilt engine binary for ${key} yet (prebuilt: ${supported}).\n` +
L27: `Build from source with a Rust 1.96+ toolchain instead:\n` +
L28: ` cargo install --git https://github.com/duct-tape-and-markdown/temper\n`,
L29: );
High
Entrypoint Build Divergence
Manifest entrypoint contains risky behavior absent from dist/build output.
bin/temper.jsView on unpkg · L941`with optional dependencies disabled skips it. Restore it with:\n` +
L42: ` npm install ${pkg}\n`,
L43: );
...
L46:
L47: const result = spawnSync(bin, process.argv.slice(2), { stdio: "inherit" });
L48: if (result.error) {
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/temper.jsView on unpkg · L41Findings
4 High1 Medium5 Low
HighChild Processbin/temper.js
HighShell
HighEntrypoint Build Divergencebin/temper.js
HighRuntime Package Installbin/temper.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings