registry  /  @levrbet/shared  /  0.5.76

@levrbet/shared@0.5.76

Shared utilities, components, and types for the LEVR platform...

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 199 file(s), 783 KB of source, external domains: app.dev.levr.bet, app.levr.bet, app.staging.levr.bet, auth-api.dev.levr.bet, auth-api.staging.levr.bet, auth.api.levr.bet, client-dev-promo-bucket.s3.ap-south-1.amazonaws.com, client-prod-promo-bucket.s3.ap-south-1.amazonaws.com, client-staging-promo-bucket.s3.ap-south-1.amazonaws.com, github.com, indexer.dev.hyperindex.xyz, indexer.hyperindex.xyz, lambda.api.levr.bet, lambda.dev.levr.bet, lambda.staging.levr.bet, leaderboard.api.levr.bet, leaderboard.dev.levr.bet, leaderboard.staging.levr.bet, levrbet.squids.live, liquidation-engine.api.levr.bet, liquidation-engine.dev.levr.bet, liquidation-engine.staging.levr.bet, openzeppeline.dev-services-domain, openzeppeline.prod-services-domain, openzeppeline.staging-services-domain, oracle-core.api.levr.bet, oracle-core.dev.levr.bet, oracle-core.staging.levr.bet, oracle-periphery.api.levr.bet, oracle-periphery.dev.levr.bet, oracle-periphery.staging.levr.bet, oracle-processor.api.levr.bet, oracle-processor.dev.levr.bet, oracle-processor.staging.levr.bet, orderbook.api.levr.bet, orderbook.dev.levr.bet, orderbook.staging.levr.bet, referrals.api.levr.bet, referrals.dev.levr.bet, referrals.staging.levr.bet, relayers.dev.levr.bet

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.jsView file
10L11: const { execSync } = require("child_process") L12: const fs = require("fs")
High
Child Process

Package source references child process execution.

scripts/postinstall.jsView on unpkg · L10
95// Run from the consumer's project root so @prisma/client is found there L96: execSync(`npx prisma generate --schema="${schemaPath}"`, { L97: stdio: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.jsView on unpkg · L95

Findings

3 High4 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.js
HighRuntime Package Installscripts/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License