registry  /  @eldrex/core  /  1.0.5

@eldrex/core@1.0.5

Core engine for DevDiff — intelligent, privacy-first changelog generation

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 386 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.groq.com, api.openai.com, devdiff.vercel.app, fonts.googleapis.com, fonts.gstatic.com, git-scm.com, github.com, nodejs.org, ollama.com, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/index.jsView file
560// src/security/shell-sandbox.ts L561: import { exec } from "child_process"; L562:
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L560
682}; L683: function execAsync(command, args, options) { L684: return new Promise((resolve9, reject) => {
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L682
5409message: `Node.js ${nodeVersion} is too old (need >= 20.0.0)`, L5410: fix: "Install from https://nodejs.org" L5411: }); ... L5415: try { L5416: execSync2('powershell -Command "Write-Host test"', { stdio: "pipe" }); L5417: } catch { ... L5424: } L5425: if (!process.env.WT_SESSION) { L5426: issues.push({
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L5409
33"dist/**", L34: "package-lock.json", L35: "pnpm-lock.yaml", ... L560: // src/security/shell-sandbox.ts L561: import { exec } from "child_process"; L562: ... L568: static getLogPath() { L569: return process.env.DEVDIFF_AUDIT_PATH || path2.resolve(process.cwd(), ".devdiff/security-audit.enc"); L570: } ... L587: const authTag = cipher.getAuthTag(); L588: return Buffer.concat([iv, authTag, encrypted]).toString("base64"); L589: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L33
6297${references.map((r) => ` - ${r}`).join("\n")}` : `Removed ${path14.basename(deleted.path)} (no imports detected)`, L6298: evidence: references.length > 0 ? [`${references.length} dangling import(s) found`] : ["No imports found referencing this file"] L6299: });
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L6297

Findings

4 High4 Medium4 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings