registry  /  @everystack/cli  /  0.3.22

@everystack/cli@0.3.22

CLI and OTA updates for Expo apps on everystack

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 119 file(s), 917 KB of source, external domains: docs.expo.dev, react.dev

Source & flagged code

5 flagged · loading source
src/cli/utils/export.tsView file
1import { spawn } from 'child_process'; L2: import fs from 'fs/promises';
High
Child Process

Package source references child process execution.

src/cli/utils/export.tsView on unpkg · L1
src/cli/commands/runbook.tsView file
29try { L30: const dir = eval('__dirname') as string; L31: const pkg = JSON.parse(fs.readFileSync(path.join(dir, '..', '..', '..', 'package.json'), 'utf8'));
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/cli/commands/runbook.tsView on unpkg · L29
src/env.jsView file
8* Usage: L9: * const { extra } = require('@everystack/cli/env').load(); L10: * module.exports = { expo: { extra } };
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/env.jsView on unpkg · L8
src/handler/signing.tsView file
2L3: export function signRSASHA256(data: string, privateKey: string): string { L4: const sign = crypto.createSign('RSA-SHA256'); ... L6: sign.end(); L7: return sign.sign(privateKey, 'base64'); L8: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/handler/signing.tsView on unpkg · L2
src/cli/commands/lighthouse.tsView file
8* Config-free: the target URL is the deployed router URL from SST outputs L9: * (resolveConfig), or --host. Requires `npx lighthouse` and a headless Chrome. L10: */ L11: L12: import { execFileSync } from 'node:child_process'; L13: import { readFileSync, mkdtempSync, writeFileSync } from 'node:fs';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/cli/commands/lighthouse.tsView on unpkg · L8

Findings

3 High4 Medium7 Low
HighChild Processsrc/cli/utils/export.ts
HighShell
HighRuntime Package Installsrc/cli/commands/lighthouse.ts
MediumDynamic Requiresrc/env.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalsrc/cli/commands/runbook.ts
LowWeak Cryptosrc/handler/signing.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License