registry  /  @griddo/cx  /  11.17.1-rc.0

@griddo/cx@11.17.1-rc.0

⚠ Under review

Griddo SSG based on Gatsby

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 135 file(s), 6.62 MB of source, external domains: api.indexnow.org, github.com, griddo.io, jimmy.warting.se, www.googletagmanager.com, www.sitemaps.org, www.w3.org

Source & flagged code

4 flagged · loading source
gatsby-config.tsView file
22// Gatsby configuration file from client L23: const { plugins, ...gatsbyConfig } = require(resolveComponentsPath("builder.config.js")); L24:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

gatsby-config.tsView on unpkg · L22
build/commands/legacy-upload-search-content.jsView file
126) L127: `)}close(){this.#t.close()}get(A){Wc(A);let t=this.#E(A);return t?{body:t.body?Buffer.from(t.body.buffer,t.body.byteOffset,t.body.byteLength):void 0,statusCode:t.statusCode,statusM... L128: ${n}`;break;case"retry":ly(n)&&(t[s]=n);break;case"id":Iy(n)&&(t[s]=n);break;case"event":n.length>0&&(t[s]=n);break}}processEvent(A){A.retry&&ly(A.retry)&&(this.state.reconnectionT... ... L130: `);e.stack=t?`${t} L131: ${n}`:s.stack}p.exports.fetch=function(A,t=void 0){return cY(A,t).catch(r=>{throw Ry?Fy(r,Ry):r&&typeof r=="object"&&Error.captureStackTrace(r,p.exports.fetch),r})};p.exports.Heade... L132: `);throw O.log(`
Critical
Builtin Api Tampering Exfiltration

Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.

build/commands/legacy-upload-search-content.jsView on unpkg · L126
exporter/build.shView file
path = exporter/build.sh kind = build_helper sizeBytes = 2660 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

exporter/build.shView on unpkg
exporter/commands/legacy/prepare-domains-render.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @griddo/cx@11.16.0-rc.3 matchedIdentity = npm:QGdyaWRkby9jeA:11.16.0-rc.3 similarity = 0.504 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

exporter/commands/legacy/prepare-domains-render.tsView on unpkg

Findings

1 Critical1 High5 Medium7 Low
CriticalBuiltin Api Tampering Exfiltrationbuild/commands/legacy-upload-search-content.js
HighPrevious Version Dangerous Deltaexporter/commands/legacy/prepare-domains-render.ts
MediumDynamic Requiregatsby-config.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperexporter/build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License