registry  /  @flun/desktop-builder  /  1.0.3

@flun/desktop-builder@1.0.3

将任意 Node.js 网站一键打包为当前桌面应用('win', 'mac', 'linux')(基于 Electron),支持高度自定义配置;

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 34.9 KB of source, external domains: electronjs.org, mirrors.huaweicloud.com, npmmirror.com, www.abc.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node copy-files.js 2>&1
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node copy-files.js 2>&1
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
electron-main.jsView file
264/^(async\s+)?(function\s*(\w*\s*)?\(|\(\)\s*=>|async\s*\(\)\s*=>)/.test(newItem.click.trim())) L265: try { newItem.click = eval(newItem.click) } catch (_) { } L266:
Low
Eval

Package source references a known benign dynamic code generation pattern.

electron-main.jsView on unpkg · L264
lib/setup.icoView file
path = lib/setup.ico kind = high_entropy_blob sizeBytes = 14040 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

lib/setup.icoView on unpkg

Findings

2 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Bloblib/setup.ico
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalelectron-main.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings