registry  /  @edge-base/cli  /  0.4.2

@edge-base/cli@0.4.2

⚠ Under review

CLI for EdgeBase — create, develop, and deploy EdgeBase projects

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 63 file(s), 914 KB of source, external domains: 127.0.0.1, api.cloudflare.com, app.example.com, docs.docker.com, edgebase.fun, www.apple.com

Source & flagged code

7 flagged · loading source
dist/lib/node-tools.jsView file
1import { execFileSync } from 'node:child_process'; L2: import { createRequire } from 'node:module';
High
Child Process

Package source references child process execution.

dist/lib/node-tools.jsView on unpkg · L1
dist/lib/pack.jsView file
439if (process.platform === 'win32') { L440: execFileSync('powershell', [ L441: '-NoProfile',
High
Shell

Package source references shell execution.

dist/lib/pack.jsView on unpkg · L439
dist/lib/dev-sidecar.jsView file
284if (!pgModulePromise) { L285: const dynamicImport = new Function('specifier', 'return import(specifier)'); L286: pgModulePromise = dynamicImport('pg').then((mod) => mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/lib/dev-sidecar.jsView on unpkg · L284
284if (!pgModulePromise) { L285: const dynamicImport = new Function('specifier', 'return import(specifier)'); L286: pgModulePromise = dynamicImport('pg').then((mod) => mod);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/lib/dev-sidecar.jsView on unpkg · L284
dist/commands/dev.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @edge-base/cli@0.3.3 matchedIdentity = npm:QGVkZ2UtYmFzZS9jbGk:0.3.3 similarity = 0.677 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/dev.jsView on unpkg
1import { Command, CommanderError } from 'commander'; L2: import { spawn } from 'node:child_process'; L3: import { createHash, randomBytes } from 'node:crypto'; L4: import { createServer } from 'node:net'; L5: import { chmodSync, existsSync, watch, readFileSync, copyFileSync, unlinkSync, readdirSync, mkdirSync, renameSync, writeFileSync, promises as fsPromises, } from 'node:fs'; ... L32: const PORT_RESERVATION_STALE_GRACE_MS = 10_000; L33: const MAX_RECENT_WRANGLER_STDERR_LINES = 12; L34: const WRANGLER_EXIT_GRACE_MS = 2_500; ... L39: const LOCAL_DEV_BUILD_DEFINE = `${LOCAL_DEV_BUILD_MARKER}:true`; L40: const PORT_RESERVATION_DIR = process.env.EDGEBASE_DEV_PORT_RESERVATION_DIR L41: ? resolve(process.env.EDGEBASE_DEV_PORT_RESERVATION_DIR) ... L72: });
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/commands/dev.jsView on unpkg · L1
dist/commands/deploy.jsView file
1Cross-file remote execution chain: dist/commands/deploy.js spawns dist/lib/dev-sidecar.js; helper contains network access plus dynamic code execution. L1: import { Command } from 'commander'; L2: import { spawn, execFileSync } from 'node:child_process'; L3: import { wranglerArgs, wranglerCommand, wranglerHint } from '../lib/wrangler.js'; ... L33: const RELEASE_ENV_HEADER = '# EdgeBase production secrets'; L34: const ANSI_ESCAPE_REGEX = new RegExp(`${String.fromCharCode(27)}\\[[0-9;]*[a-zA-Z]`, 'g'); L35: const DEPLOY_SUBPROCESS_TIMEOUT_MS = 10 * 60 * 1000; ... L90: const record = error; L91: return [record.message, record.stdout, record.stderr] L92: .map((value) => Buffer.isBuffer(value) ? value.toString('utf8') : String(value ?? '')) ... L351: try { L352: const response = await fetch(workerUrl, { L353: redirect: 'manual',
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/commands/deploy.jsView on unpkg · L1

Findings

1 Critical3 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/commands/dev.js
HighChild Processdist/lib/node-tools.js
HighShelldist/lib/pack.js
HighCross File Remote Execution Contextdist/commands/deploy.js
MediumDynamic Requiredist/lib/dev-sidecar.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/lib/dev-sidecar.js
LowWeak Cryptodist/commands/dev.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings