registry  /  @http-forge/core  /  0.6.6

@http-forge/core@0.6.6

⚠ Under review

Headless HTTP testing engine with Postman collection support, dynamic variables, and script-based automation.

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.83 MB of source, external domains: 127.0.0.1, aaa.nonexistanturl.com, api.doppler.com, example.com, json-schema.org, momentjs.com, npms.io, raw.githubusercontent.com, schema.getpostman.com

Source & flagged code

9 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @http-forge/core@0.6.5 matchedIdentity = npm:QGh0dHAtZm9yZ2UvY29yZQ:0.6.5 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
276${n.join(` L277: `)}`));if(!("location"in i.headers)||!i.headers.location)throw(0,ky.ono)({status:i.status},`HTTP ${i.status} redirect with no location header`);{let s=np.resolve(t.href,i.headers.l... L278:
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L276
276${n.join(` L277: `)}`));if(!("location"in i.headers)||!i.headers.location)throw(0,ky.ono)({status:i.status},`HTTP ${i.status} redirect with no location header`);{let s=np.resolve(t.href,i.headers.l... L278:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L276
273`+t.slice(o+1):d+=t.slice(i),d.slice(1)}function n8(t){let e="",r=0;for(let n=0;n<t.length;r>=65536?n+=2:n++){r=Qd(t,n);let i=Sr[r];!i&&ep(r)?(e+=t[n],r>=65536&&(e+=t[n+1])):e+=i||... L274: `:""}u$.exports.dump=l8});var zC=U((wre,Tr)=>{"use strict";var d$=V1(),c8=f$();function WC(t,e){return function(){throw new Error("Function yaml."+t+" is removed in js-yaml 4. Use ... L275: Too many redirects: L276: ${n.join(` L277: `)}`));if(!("location"in i.headers)||!i.headers.location)throw(0,ky.ono)({status:i.status},`HTTP ${i.status} redirect with no location header`);{let s=np.resolve(t.href,i.headers.l... L278:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L273
1"use strict";var Zj=Object.create;var zh=Object.defineProperty;var Xj=Object.getOwnPropertyDescriptor;var e2=Object.getOwnPropertyNames;var t2=Object.getPrototypeOf,r2=Object.proto... L2: /* [wrapped with `+c+`] */
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1
26|| (${o} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(l,(0,Pe._)`+${i}`);return;case"boolean":n.elseIf((0,Pe._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L27: || ${o} === "boolean" || ${i} === null`).assign(l,(0,Pe._)`[${i}]`)}}}function TU({gen:t,parentData:e,parentDataProperty:r},n){t.if((0,Pe._)`${e} !== undefined`,()=>t.assign((0,Pe.... L28: missingProperty: ${n},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L26
dist/index.mjsView file
1var _j=Object.create;var _h=Object.defineProperty;var Rj=Object.getOwnPropertyDescriptor;var Cj=Object.getOwnPropertyNames;var xj=Object.getPrototypeOf,Ej=Object.prototype.hasOwnPr... L2: /* [wrapped with `+c+`] */ ... L22: Arguments: `+Array.prototype.slice.call(R).join("")+` L23: `+new Error().stack),S=!1}return g.apply(this,arguments)},g)}var A={};function F(f,g){e.deprecationHandler!=null&&e.deprecationHandler(f,g),A[f]||(O(g),A[f]=!0)}e.suppressDeprecati... L24: `:""},this._extScope=e,this._scope=new Zn.Scope({parent:e}),this._nodes=[new wS]}toString(){return this._root.render(this.opts)}name(e){return this._scope.name(e)}scopeName(e){retu... ... L26: || (${o} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(l,(0,ke._)`+${i}`);return;case"boolean":n.elseIf((0,ke._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L27: || ${o} === "boolean" || ${i} === null`).assign(l,(0,ke._)`[${i}]`)}}}function cU({gen:t,parentData:e,parentDataProperty:r},n){t.if((0,ke._)`${e} !== undefined`,()=>t.assign((0,ke.... L28: missingProperty: ${n}, ... L52: `)}function fz(t){let e=t.url;if(t.query&&t.query.length){let r=t.query.filter(n=>n.enabled!==!1).map(n=>`${encodeURIComp
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/index.mjsView on unpkg · L1
1var _j=Object.create;var _h=Object.defineProperty;var Rj=Object.getOwnPropertyDescriptor;var Cj=Object.getOwnPropertyNames;var xj=Object.getPrototypeOf,Ej=Object.prototype.hasOwnPr... L2: /* [wrapped with `+c+`] */ ... L22: Arguments: `+Array.prototype.slice.call(R).join("")+` L23: `+new Error().stack),S=!1}return g.apply(this,arguments)},g)}var A={};function F(f,g){e.deprecationHandler!=null&&e.deprecationHandler(f,g),A[f]||(O(g),A[f]=!0)}e.suppressDeprecati... L24: `:""},this._extScope=e,this._scope=new Zn.Scope({parent:e}),this._nodes=[new wS]}toString(){return this._root.render(this.opts)}name(e){return this._scope.name(e)}scopeName(e){retu... ... L26: || (${o} === "string" && ${i} && ${i} == +${i} && !(${i} % 1))`).assign(l,(0,ke._)`+${i}`);return;case"boolean":n.elseIf((0,ke._)`${i} === "false" || ${i} === 0 || ${i} === null`).... L27: || ${o} === "boolean" || ${i} === null`).assign(l,(0,ke._)`[${i}]`)}}}function cU({gen:t,parentData:e,parentDataProperty:r},n){t.if((0,ke._)`${e} !== undefined`,()=>t.assign((0,ke.... L28: missingProperty: ${n}, ... L52: `)}function fz(t){let e=t.url;if(t.query&&t.query.length){let r=t.query.filter(n=>n.enabled!==!1).map(n=>`${encodeURIComp
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.mjsView on unpkg · L1
README.mdView file
930patternName = generic_password severity = medium line = 930 matchedText = password...d}}'
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L930

Findings

1 Critical3 High7 Medium8 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumDynamic Requiredist/index.js
MediumUnsafe Vm Contextdist/index.mjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
MediumSecret PatternREADME.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index.js
LowWeak Cryptodist/index.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings