registry  /  @fern-api/generator-cli  /  0.9.48

@fern-api/generator-cli@0.9.48

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.96 MB of source, external domains: api.github.com, buildwithfern.com, central.sonatype.com, crates.io, docs.github.com, fai.buildwithfern.com, fetch.spec.whatwg.org, github.com, img.shields.io, nuget.org, packagist.org, pkg.go.dev, pypi.python.org, rubygems.org, uploads.github.com, www.npmjs.com, yargs.js.org

Source & flagged code

10 flagged · loading source
dist/cli.jsView file
24482patternName = private_key_openssh severity = critical line = 24482 matchedText = { name: .../ },
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/cli.jsView on unpkg · L24482
24482patternName = private_key_openssh severity = critical line = 24482 matchedText = { name: .../ },
Critical
Secret Pattern

OpenSSH private key in dist/cli.js

dist/cli.jsView on unpkg · L24482
24483patternName = private_key_rsa severity = critical line = 24483 matchedText = { name: .../ },
Critical
Secret Pattern

RSA private key in dist/cli.js

dist/cli.jsView on unpkg · L24483
6840module2.exports = (string2, columns, options) => { L6841: return String(string2).normalize().replace(/\r\n/g, "\n").split("\n").map((line) => exec(line, columns, options)).join("\n"); L6842: };
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L6840
28175parsed.args = ["/d", "/s", "/c", `"${shellCommand}"`]; L28176: parsed.command = process.env.comspec || "cmd.exe"; L28177: parsed.options.windowsVerbatimArguments = true;
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L28175
79Cross-file remote execution chain: dist/cli.js spawns dist/api.js; helper contains network access plus dynamic code execution. L79: "use strict"; L80: var debug2 = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : ()... L81: }; ... L2049: pre: str.slice(0, r2[0]), L2050: body: str.slice(r2[0] + ma.length, r2[1]), L2051: post: str.slice(r2[1] + mb.length) ... L2097: function numeric(str) { L2098: return !isNaN(str) ? parseInt(str, 10) : str.charCodeAt(0); L2099: } ... L3143: }; L3144: defaultPlatform = typeof process === "object" && process ? typeof process.env === "object" && process.env && process.env.__MINIMATCH_TESTING_PLATFORM__ || process.platform : "posix... L3145: path = {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L79
15}; L16: var __commonJS = (cb, mod) => function __require() { L17: try {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L15
79"use strict"; L80: var debug2 = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : ()... L81: }; ... L2049: pre: str.slice(0, r2[0]), L2050: body: str.slice(r2[0] + ma.length, r2[1]), L2051: post: str.slice(r2[1] + mb.length) ... L2097: function numeric(str) { L2098: return !isNaN(str) ? parseInt(str, 10) : str.charCodeAt(0); L2099: } ... L3143: }; L3144: defaultPlatform = typeof process === "object" && process ? typeof process.env === "object" && process.env && process.env.__MINIMATCH_TESTING_PLATFORM__ || process.platform : "posix... L3145: path = {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L79
24487patternName = generic_password severity = medium line = 24487 matchedText = { name: ...i },
Medium
Secret Pattern

Hardcoded password in dist/cli.js

dist/cli.jsView on unpkg · L24487
36498}`; L36499: const result = attempt(() => new Function(...importsKeys, `${sourceURL}return ${compiledFunction}`)(...importValues)); L36500: result.source = compiledFunction;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli.jsView on unpkg · L36498

Findings

3 Critical3 High5 Medium5 Low
CriticalCritical Secretdist/cli.js
CriticalSecret Patterndist/cli.js
CriticalSecret Patterndist/cli.js
HighChild Processdist/cli.js
HighShelldist/cli.js
HighCross File Remote Execution Contextdist/cli.js
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumSecret Patterndist/cli.js
LowEvaldist/cli.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License