registry  /  @effo/cli  /  1.7.0

@effo/cli@1.7.0

⚠ Under review

Build Effo Apps locally — author, preview, and publish from your terminal

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
WildcardDependency
scanned 10 file(s), 234 KB of source, external domains: github.com, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/effo.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @effo/cli@1.2.0 matchedIdentity = npm:QGVmZm8vY2xp:1.2.0 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/effo.jsView on unpkg
9`)}},debug(e){fo&&process.stderr.write(`${je.dim(`[debug] ${e}`)} L10: `)},raw(e){process.stdout.write(e)}};import ne from"picocolors";import{existsSync as Rt}from"node:fs";import{basename as xt}from"node:path";import{existsSync as wo,mkdirSync as bo,... L11: `,"utf-8")}import{existsSync as uo}from"node:fs";import{basename as rt,join as go}from"node:path";var cr=[{packageName:"react",vendorPath:"/effo-runtime/react.js",version:"19.2.6"}...
High
Child Process

Package source references child process execution.

dist/effo.jsView on unpkg · L9
1#!/usr/bin/env bun L2: import{Command as bs}from"commander";import $s from"picocolors";import{existsSync as Er,readFileSync as Tr,writeFileSync as Vn}from"node:fs";import{homedir as Wn}from"node:os";impo... L3: `,{encoding:"utf-8",mode:384})}function Yn(e){let r=Ee(e);if(Er(r))try{let{authUrl:o}=JSON.parse(Tr(r,"utf-8")),n=/^https:\/\/auth\.(.+?)\/?$/.exec(o??"")?.[1];return!n||n===oe||n.... ... L9: `)}},debug(e){fo&&process.stderr.write(`${je.dim(`[debug] ${e}`)} L10: `)},raw(e){process.stdout.write(e)}};import ne from"picocolors";import{existsSync as Rt}from"node:fs";import{basename as xt}from"node:path";import{existsSync as wo,mkdirSync as bo,... L11: `,"utf-8")}import{existsSync as uo}from"node:fs";import{basename as rt,join as go}from"node:path";var cr=[{packageName:"react",vendorPath:"/effo-runtime/react.js",version:"19.2.6"}...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/effo.jsView on unpkg · L1
1#!/usr/bin/env bun L2: import{Command as bs}from"commander";import $s from"picocolors";import{existsSync as Er,readFileSync as Tr,writeFileSync as Vn}from"node:fs";import{homedir as Wn}from"node:os";impo... L3: `,{encoding:"utf-8",mode:384})}function Yn(e){let r=Ee(e);if(Er(r))try{let{authUrl:o}=JSON.parse(Tr(r,"utf-8")),n=/^https:\/\/auth\.(.+?)\/?$/.exec(o??"")?.[1];return!n||n===oe||n.... L4: `)},success(e){process.stdout.write(`${je.green("\u2713")} ${e} ... L9: `)}},debug(e){fo&&process.stderr.write(`${je.dim(`[debug] ${e}`)} L10: `)},raw(e){process.stdout.write(e)}};import ne from"picocolors";import{existsSync as Rt}from"node:fs";import{basename as xt}from"node:path";import{existsSync as wo,mkdirSync as bo,... L11: `,"utf-8")}import{existsSync as uo}from"node:fs";import{basename as rt,join as go}from"node:path";var cr=[{packageName:"react",vendorPath:"/effo-runtime/react.js",version:"19.2.6"}...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/effo.jsView on unpkg · L1

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/effo.js
HighChild Processdist/effo.js
HighSame File Env Network Executiondist/effo.js
HighCommand Output Exfiltrationdist/effo.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings