registry  /  @enrichlayer/el-linear  /  1.41.0

@enrichlayer/el-linear@1.41.0

⚠ Under review

A pragmatic CLI for Linear.app — deterministic team/label/member resolution, structured issue validation, configurable term enforcement, and a GraphQL escape hatch.

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 136 file(s), 876 KB of source, external domains: api.linear.app, en.wikipedia.org, example.com, github.com, linear.app

Source & flagged code

4 flagged · loading source
dist/utils/output.jsView file
1import { execFileSync } from "node:child_process"; L2: import { resolveActiveProfile } from "../config/paths.js";
High
Child Process

Package source references child process execution.

dist/utils/output.jsView on unpkg · L1
dist/commands/init/oauth.jsView file
19*/ L20: import { spawn } from "node:child_process"; L21: import { checkbox, input, password, select } from "@inquirer/prompts"; ... L30: const DEFAULT_PORT = 8765; L31: const REGISTRATION_URL = "https://linear.[redacted]"; L32: const VIEWER_QUERY = /* GraphQL */ ` ... L63: let args; L64: if (process.platform === "darwin") { L65: cmd = "open";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/init/oauth.jsView on unpkg · L19
dist/commands/gdoc.jsView file
1import { execFileSync } from "node:child_process"; L2: import { extractDocId, parseGoogleDoc } from "../utils/gdoc-parser.js"; ... L7: .description("Convert a Google Doc to Markdown (requires gws CLI).") L8: .addHelpText("after", "\nAccepts a Google Doc ID or full URL.\nRequires gws CLI: npm install -g @googleworkspace/cli") L9: .action(handleAsyncCommand(async (docIdOrUrl) => {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/gdoc.jsView on unpkg · L1
dist/commands/issue-id.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @enrichlayer/el-linear@1.34.1 matchedIdentity = npm:QGVucmljaGxheWVyL2VsLWxpbmVhcg:1.34.1 similarity = 0.746 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/issue-id.jsView on unpkg

Findings

1 Critical4 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/commands/issue-id.js
HighChild Processdist/utils/output.js
HighShell
HighSandbox Evasion Gated Capabilitydist/commands/init/oauth.js
HighRuntime Package Installdist/commands/gdoc.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings