registry  /  @levrbet/shared  /  0.5.82

@levrbet/shared@0.5.82

⚠ Under review

Shared utilities, components, and types for the LEVR platform...

Static Scan Results

scanned 12h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 199 file(s), 787 KB of source, external domains: app.dev.levr.bet, app.levr.bet, app.staging.levr.bet, auth-api.dev.levr.bet, auth-api.staging.levr.bet, auth.api.levr.bet, client-dev-promo-bucket.s3.ap-south-1.amazonaws.com, client-prod-promo-bucket.s3.ap-south-1.amazonaws.com, client-staging-promo-bucket.s3.ap-south-1.amazonaws.com, github.com, indexer.dev.hyperindex.xyz, indexer.hyperindex.xyz, lambda.api.levr.bet, lambda.dev.levr.bet, lambda.staging.levr.bet, leaderboard.api.levr.bet, leaderboard.dev.levr.bet, leaderboard.staging.levr.bet, levrbet.squids.live, liquidation-engine.api.levr.bet, liquidation-engine.dev.levr.bet, liquidation-engine.staging.levr.bet, openzeppeline.dev-services-domain, openzeppeline.prod-services-domain, openzeppeline.staging-services-domain, oracle-core.api.levr.bet, oracle-core.dev.levr.bet, oracle-core.staging.levr.bet, oracle-periphery.api.levr.bet, oracle-periphery.dev.levr.bet, oracle-periphery.staging.levr.bet, oracle-processor.api.levr.bet, oracle-processor.dev.levr.bet, oracle-processor.staging.levr.bet, orderbook.api.levr.bet, orderbook.dev.levr.bet, orderbook.staging.levr.bet, referrals.api.levr.bet, referrals.dev.levr.bet, referrals.staging.levr.bet, relayers.dev.levr.bet

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @levrbet/shared@0.5.76 matchedIdentity = npm:QGxldnJiZXQvc2hhcmVk:0.5.76 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/postinstall.jsView on unpkg
10L11: const { execSync } = require("child_process") L12: const fs = require("fs")
High
Child Process

Package source references child process execution.

scripts/postinstall.jsView on unpkg · L10
95// Run from the consumer's project root so @prisma/client is found there L96: execSync(`npx prisma generate --schema="${schemaPath}"`, { L97: stdio: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.jsView on unpkg · L95

Findings

1 Critical3 High4 Medium7 Low
CriticalPrevious Version Dangerous Deltascripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.js
HighRuntime Package Installscripts/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License