registry  /  @eventcatalog/core  /  4.2.1

@eventcatalog/core@4.2.1

<div align="center">

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 364 file(s), 2.11 MB of source, external domains: api.ecingest.dev, app.eventcatalog.studio, eventcatalog.cloud, eventcatalog.dev, eventcatalog.studio, example.com, github.com, prod.example.com, queue.simpleanalyticscdn.com, uat.example.com, www.eventcatalog.dev, www.plantuml.com, www.w3.org

Source & flagged code

4 flagged · loading source
eventcatalog/src/components/Search/SearchModal.tsxView file
137const loadPagefindModule = (url: string) => { L138: const nativeImport = new Function('url', 'return import(url)') as (url: string) => Promise<PagefindModule>; L139: return nativeImport(url);
Low
Eval

Package source references a known benign dynamic code generation pattern.

eventcatalog/src/components/Search/SearchModal.tsxView on unpkg · L137
dist/migrations/message-channels-to-service-channels.cjsView file
35module.exports = __toCommonJS(message_channels_to_service_channels_exports); L36: var import_node_fs = __toESM(require("fs"), 1); L37: var import_glob = require("glob");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/migrations/message-channels-to-service-channels.cjsView on unpkg · L35
dist/analytics/log-build.cjsView file
179package = @eventcatalog/core; repositoryIdentity = eventcatalog; dependency = glob L179: // src/analytics/count-resources.js L180: var import_glob = require("glob"); L181: var RESOURCE_PATTERNS = {
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/analytics/log-build.cjsView on unpkg · L179
dist/eventcatalog.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @eventcatalog/core@3.48.4 matchedIdentity = npm:QGV2ZW50Y2F0YWxvZy9jb3Jl:3.48.4 similarity = 0.717 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/eventcatalog.cjsView on unpkg

Findings

2 High4 Medium6 Low
HighCopied Package Dependency Bridgedist/analytics/log-build.cjs
HighPrevious Version Dangerous Deltadist/eventcatalog.cjs
MediumDynamic Requiredist/migrations/message-channels-to-service-channels.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaleventcatalog/src/components/Search/SearchModal.tsx
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License