registry  /  @just-every/code  /  0.6.146

@just-every/code@0.6.146

Lightweight coding agent that runs in your terminal - fork of OpenAI Codex

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 56.5 KB of source, external domains: github.com

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = node scripts/preinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/coder.jsView file
6import { platform as nodePlatform, arch as nodeArch } from "os"; L7: import { execSync } from "child_process"; L8: import { get as httpsGet } from "https";
High
Child Process

Package source references child process execution.

bin/coder.jsView on unpkg · L6
222? `code-${targetTriple}.zip` L223: : (() => { try { execSync("zstd --version", { stdio: "ignore", shell: true }); return `code-${targetTriple}.zst`; } catch { return `code-${targetTriple}.tar.gz`; } })(); L224: const url = `https://github.com/just-every/code/releases/download/v${version}/${archiveName}`;
High
Shell

Package source references shell execution.

bin/coder.jsView on unpkg · L222
222? `code-${targetTriple}.zip` L223: : (() => { try { execSync("zstd --version", { stdio: "ignore", shell: true }); return `code-${targetTriple}.zst`; } catch { return `code-${targetTriple}.tar.gz`; } })(); L224: const url = `https://github.com/just-every/code/releases/download/v${version}/${archiveName}`; L225: const tmp = path.join(binDir, `.${archiveName}.part`); ... L230: try { L231: const sysRoot = process.env.SystemRoot || process.env.windir || 'C:\\\Windows'; L232: const psFull = path.join(sysRoot, 'System32', 'WindowsPowerShell', 'v1.0', 'powershell.exe');
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/coder.jsView on unpkg · L222
scripts/windows-cleanup.ps1View file
path = scripts/windows-cleanup.ps1 kind = build_helper sizeBytes = 1180 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/windows-cleanup.ps1View on unpkg
bin/codex.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @just-every/code@0.6.140 matchedIdentity = npm:QGp1c3QtZXZlcnkvY29kZQ:0.6.140 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/codex.jsView on unpkg

Findings

5 High6 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/coder.js
HighShellbin/coder.js
HighSame File Env Network Executionbin/coder.js
HighPrevious Version Dangerous Deltabin/codex.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/windows-cleanup.ps1
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings