registry  /  @glissade/cli  /  0.62.0

@glissade/cli@0.62.0

glissade CLI: headless rendering via backend-skia (+ FFmpeg mux).

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsTelemetry
ManifestNo manifest risk signals triggered.
scanned 41 file(s), 387 KB of source

Source & flagged code

2 flagged · loading source
dist/describeLint.jsView file
293for (const spec of modules) try { L294: Object.assign(surface, await import(spec)); L295: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/describeLint.jsView on unpkg · L293
dist/critique.jsView file
19package = @glissade/cli; repositoryIdentity = glissade; dependency = @glissade/backend-skia L19: const scene = mod.createScene(); L20: const { SkiaBackend } = await import("@glissade/backend-skia"); L21: scene.setTextMeasurer(new SkiaBackend(scene.size.w, scene.size.h));
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/critique.jsView on unpkg · L19

Findings

1 High3 Medium4 Low
HighCopied Package Dependency Bridgedist/critique.js
MediumDynamic Requiredist/describeLint.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry