Static Scan Results
scanned 7d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
HighEntropyStringsMinifiedUrlStrings
Oversized source lightweight scan
public/assets/index-D8Jsti3x.js4.29 MB file, sampled 256 KB
NetworkHighEntropyStringsMinifiedUrlStringsreact.dev
Source & flagged code
4 flagged · loading sourcepublic/assets/ruby-Wjq7vjNf.jsView file
1import e from"./html-pp8916En.js";import n from"./haml-D5jkg6IW.js";import t from"./xml-sdJ4AIDG.js";import a from"./sql-BLtJtn59.js";import r from"./graphql-ChdNCCLP.js";import i ...
Medium
Dynamic Require
Package source references dynamic require/import behavior.
public/assets/ruby-Wjq7vjNf.jsView on unpkg · L1dist/server/localWorkspaces.jsView file
6import { basename, dirname, join, resolve } from "node:path";
L7: const DEFAULT_REGISTRY_PATH = resolve(homedir(), ".boring-ui", "workspaces.yaml");
L8: function [redacted]() {
L9: return process.env.BORING_UI_WORKSPACES_PATH ? resolve(process.env.BORING_UI_WORKSPACES_PATH) : DEFAULT_REGISTRY_PATH;
L10: }
...
L28: try {
L29: return JSON.parse(trimmed);
L30: } catch {
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/server/localWorkspaces.jsView on unpkg · L6public/assets/index-D8Jsti3x.jsView file
•path = public/assets/index-D8Jsti3x.js
kind = oversized_source_file
sizeBytes = 4496221
magicHex = [redacted]
High
Oversized Source File
Package contains source files above the static scanner size ceiling.
public/assets/index-D8Jsti3x.jsView on unpkgdist/server/modeApps.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @hachej/boring-ui-cli@0.1.61
matchedIdentity = npm:QGhhY2hlai9ib3JpbmctdWktY2xp:0.1.61
similarity = 0.992
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/server/modeApps.jsView on unpkgFindings
1 Critical1 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/server/modeApps.js
HighOversized Source Filepublic/assets/index-D8Jsti3x.js
MediumDynamic Requirepublic/assets/ruby-Wjq7vjNf.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/server/localWorkspaces.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings