Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node -e "require('fs').existsSync('dist/PostInstall.js') && require('child_process').spawnSync(process.execPath,['dist/PostInstall.js'],{stdio:'inherit'})"
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node -e "require('fs').existsSync('dist/PostInstall.js') && require('child_process').spawnSync(process.execPath,['dist/PostInstall.js'],{stdio:'inherit'})"
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgdist/graph-assets/vendor/elk.bundled.jsView file
6611*******************************************************************************/
L6612: var ELK = require('./elk-api.js')["default"];
L6613: var ELKNode = /*#__PURE__*/function (_ELK) {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/graph-assets/vendor/elk.bundled.jsView on unpkg · L6611dist/Api.jsView file
14import { basename as $e, dirname as O, isAbsolute as $t, join as $, parse as Yn, relative as vt, resolve as ve } from "node:path";
L15: import { createServer as ks } from "node:http";
L16: import { URL as Cs, fileURLToPath as Qn, pathToFileURL as Xn } from "node:url";
...
L36: headers: r,
L37: body: JSON.stringify({ code: t }),
L38: signal: AbortSignal.timeout(Ht)
...
L48: try {
L49: i = await s.json();
L50: } catch (a) {
...
L235: Login failed:`, n instanceof Error ? n.message : n), console.log(` You can try again with 'jolli auth login'.
L236: `), process.exitCode = 1;
L237: }
Low
Findings
1 High5 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/graph-assets/vendor/elk.bundled.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/Api.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings