Static Scan Results
scanned 7d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcebin/smrt.jsView file
2L3: import { spawnSync } from 'node:child_process';
L4: import { existsSync } from 'node:fs';
High
dist/commands-gnJG0EIL.jsView file
4469* Security: Command and arguments are validated to prevent injection attacks.
L4470: * shell: true is NOT used to avoid command injection vulnerabilities.
L4471: */
High
3648execSync(`git config ${configScope} merge.smrt-json.name "SMRT JSON merge driver"`, { stdio: "inherit" });
L3649: execSync(`git config ${configScope} merge.smrt-json.driver "npx smrt merge-json %O %A %B"`, { stdio: "inherit" });
L3650: changes.push(`Git merge driver configured (${options.global ? "global" : "local"})`);
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/commands-gnJG0EIL.jsView on unpkg · L3648121}
L122: const { getPackageConfig } = await import("@happyvertical/smrt-config");
L123: const { DEFAULT_CLI_CONFIG } = await import("./config-BwrFRL8L.js");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/commands-gnJG0EIL.jsView on unpkg · L121Findings
3 High4 Medium4 Low
HighChild Processbin/smrt.js
HighShelldist/commands-gnJG0EIL.js
HighRuntime Package Installdist/commands-gnJG0EIL.js
MediumDynamic Requiredist/commands-gnJG0EIL.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings