registry  /  @html-validate/eslint-config  /  9.12.1

@html-validate/eslint-config@9.12.1

⚠ Under review

Eslint sharable config used by the various HTML-validate packages

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 226 KB of source, external domains: gitlab.com, mozilla.github.io

Source & flagged code

4 flagged · loading source
dist/cli.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @html-validate/eslint-config@9.11.6 matchedIdentity = npm:[redacted]:9.11.6 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.mjsView on unpkg
5816// src/cli.ts L5817: import child_process from "node:child_process"; L5818: import fs2 from "node:fs";
High
Child Process

Package source references child process execution.

dist/cli.mjsView on unpkg · L5816
6175try { L6176: await exec(`npm install --save-dev ${name}`); L6177: } catch (err) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.mjsView on unpkg · L6175
5227var source = compiler.compile(this.tmplStr, this.env.asyncFilters, this.env.extensionsList, this.path, this.env.opts); L5228: var func = new Function(source); L5229: props = func();
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli.mjsView on unpkg · L5227

Findings

1 Critical3 High2 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/cli.mjs
HighChild Processdist/cli.mjs
HighShell
HighRuntime Package Installdist/cli.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings