registry  /  @gjsify/cli  /  0.16.2

@gjsify/cli@0.16.2

⚠ Under review

CLI for Gjsify

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 101 file(s), 1.05 MB of source, external domains: esbuild.github.io, flathub.org, github.com, raw.githubusercontent.com, registry.npmjs.org, rolldown.rs, www.npmjs.com
Oversized source lightweight scan
dist/cli.gjs.mjs6.22 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoObfuscatedHighEntropyStringsMinifiedUrlStringsgithub.comrolldown.rs

Source & flagged code

8 flagged · loading source
lib/utils/oxc-resolve.jsView file
50import { join, resolve } from 'node:path'; L51: import { spawn } from 'node:child_process'; L52: import { createRequire } from 'node:module';
High
Child Process

Package source references child process execution.

lib/utils/oxc-resolve.jsView on unpkg · L50
lib/utils/run-lifecycle-script.jsView file
13// Matches yarn / npm script semantics: L14: // - `shell: true` so `&&` / `|` / env-var refs work L15: // - PATH prepended with `<wsDir>/node_modules/.bin` + monorepo-root bin
High
Shell

Package source references shell execution.

lib/utils/run-lifecycle-script.jsView on unpkg · L13
lib/bundler-pick.jsView file
37// it eagerly at module init pulls musl-detection code that does L38: // `require('node:fs')` synchronously — fine on Node, but fatal under GJS L39: // where the createRequire polyfill rejects synchronous builtin loads.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/bundler-pick.jsView on unpkg · L37
lib/commands/pack.jsView file
12// "shasum": "<sha1 hex>", L13: // "integrity": "sha512-<base64>", L14: // "files": [ { path, size, mode }, ... ], ... L19: // File selection mirrors npm pack: explicit `files` field if present, else L20: // the default allowlist (README/LICENSE/package.json + main entry + bin). The L21: // implementation here is conservative — when no `files` field is set we walk ... L45: .option('json', { L46: description: 'Emit pack metadata as JSON on stdout (mirrors `npm pack --json`).', L47: type: 'boolean', ... L62: handler: async (args) => { L63: const wsDir = resolve(args.path ?? process.cwd()); L64: const result = await packWorkspace(wsDir, {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/commands/pack.jsView on unpkg · L12
lib/utils/install-backend.jsView file
4// extracts tarballs via @gjsify/tar — no Node, no npm required at runtime). L5: // Fallback: `npm install --no-package-lock --no-audit --no-fund --prefix <dir> <specs...>`, L6: // for parity with the legacy code path. Switched via ... L14: // already covers reproducibility. `--no-audit --no-fund` cuts ~5s off cold runs. L15: import { spawn } from 'node:child_process'; L16: import { writeFileSync } from 'node:fs';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/utils/install-backend.jsView on unpkg · L4
dist/cli.gjs.mjsView file
path = dist/cli.gjs.mjs kind = oversized_source_file sizeBytes = 6523363 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.gjs.mjsView on unpkg
path = dist/cli.gjs.mjs kind = oversized_cli_entrypoint sizeBytes = 6523363 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.gjs.mjsView on unpkg
lib/commands/onboard.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @gjsify/cli@0.15.1 matchedIdentity = npm:QGdqc2lmeS9jbGk:0.15.1 similarity = 0.910 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/commands/onboard.jsView on unpkg

Findings

1 Critical4 High5 Medium7 Low
CriticalPrevious Version Dangerous Deltalib/commands/onboard.js
HighChild Processlib/utils/oxc-resolve.js
HighShelllib/utils/run-lifecycle-script.js
HighRuntime Package Installlib/utils/install-backend.js
HighOversized Source Filedist/cli.gjs.mjs
MediumDynamic Requirelib/bundler-pick.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/cli.gjs.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak Cryptolib/commands/pack.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings