registry  /  @iobroker/repochecker  /  5.19.8

@iobroker/repochecker@5.19.8

⚠ Under review

This is a code for frontend and back-end of the service <https://adapter-check.iobroker.in/>

Static Scan Results

scanned 7h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 19 file(s), 650 KB of source, external domains: api.github.com, cdn.jsdelivr.net, data.jsdelivr.com, download.iobroker.net, github.com, raw.githubusercontent.com, registry.npmjs.org, spdx.org, translator.iobroker.in, www.github.com, www.npmjs.com

Source & flagged code

4 flagged · loading source
lib/M7000_License.jsView file
9L10: const execSync = require('node:child_process').execSync; L11:
High
Child Process

Package source references child process execution.

lib/M7000_License.jsView on unpkg · L9
lib/M5000_Code.jsView file
92words = lines.join('\n'); L93: const resultFunc = new Function(`return ${words};`); L94:
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/M5000_Code.jsView on unpkg · L92
lib/M0000_PackageJson.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @iobroker/repochecker@5.19.6 matchedIdentity = npm:QGlvYnJva2VyL3JlcG9jaGVja2Vy:5.19.6 similarity = 0.895 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/M0000_PackageJson.jsView on unpkg
1800/** L1801: * Creates a package-lock.json in a temp directory by running npm install --package-lock-only. L1802: * Returns the content of the generated package-lock.json, or throws if creation fails. ... L1807: async function createPackageLockJson(context) { L1808: const { exec } = require('node:child_process'); L1809: const os = require('node:os');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/M0000_PackageJson.jsView on unpkg · L1800

Findings

1 Critical3 High3 Medium7 Low
CriticalPrevious Version Dangerous Deltalib/M0000_PackageJson.js
HighChild Processlib/M7000_License.js
HighShell
HighRuntime Package Installlib/M0000_PackageJson.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvallib/M5000_Code.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License