registry  /  @libredb/studio  /  0.9.42

@libredb/studio@0.9.42

<p align="center"> <img src="public/logo.svg" width="200" alt="LibreDB Studio Logo" /> </p>

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 23 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 58 file(s), 1.67 MB of source, external domains: api.openai.com, example.com, github.com, picsum.photos

Source & flagged code

12 flagged · loading source
dist/chunk-AXBPQRG7.jsView file
1057patternName = private_key_rsa severity = critical line = 1057 matchedText = placehol...--",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/chunk-AXBPQRG7.jsView on unpkg · L1057
1057patternName = private_key_rsa severity = critical line = 1057 matchedText = placehol...--",
Critical
Secret Pattern

RSA private key in dist/chunk-AXBPQRG7.js

dist/chunk-AXBPQRG7.jsView on unpkg · L1057
1189patternName = private_key_openssh severity = critical line = 1189 matchedText = placehol...--",
Critical
Secret Pattern

OpenSSH private key in dist/chunk-AXBPQRG7.js

dist/chunk-AXBPQRG7.jsView on unpkg · L1189
bin/studio.jsView file
17*/ L18: import { spawn, spawnSync } from "node:child_process"; L19: import * as fs from "node:fs";
High
Child Process

Package source references child process execution.

bin/studio.jsView on unpkg · L17
13Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, execution+network L13: * L14: * ESM in a .js file: bin/package.json sets "type": "module" for this L15: * directory only - the root package.json must stay typeless because the ... L17: */ L18: import { spawn, spawnSync } from "node:child_process"; L19: import * as fs from "node:fs"; ... L33: L34: const pkg = JSON.parse(fs.readFileSync(new URL("../package.json", import.meta.url), "utf8")); L35: ... L101: try { L102: const response = await fetch(url, { redirect: "follow", signal: controller.signal }); L103: if (response.status === 404) {
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/studio.jsView on unpkg · L13
223function startServer(payloadDir, port, host) { L224: const env = { ...process.env }; L225: if (port !== null) env.PORT = String(port); ... L228: if (!env.NODE_ENV) env.NODE_ENV = "production"; L229: console.log(`Starting LibreDB Studio ${pkg.version} on http://${env.HOSTNAME}:${env.PORT || "3000"}`); L230: const child = spawn(process.execPath, ["server.js"], { cwd: payloadDir, env, stdio: "inherit" }); L231: child.on("error", (error) => fail(`Could not start server.js: ${error.message}`));
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/studio.jsView on unpkg · L223
matchType = previous_version_dangerous_delta matchedPackage = @libredb/studio@0.9.39 matchedIdentity = npm:QGxpYnJlZGIvc3R1ZGlv:0.9.39 similarity = 0.962 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/studio.jsView on unpkg
dist/chunk-AXFO3IQH.mjsView file
1036patternName = private_key_rsa severity = critical line = 1036 matchedText = placehol...--",
Critical
Secret Pattern

RSA private key in dist/chunk-AXFO3IQH.mjs

dist/chunk-AXFO3IQH.mjsView on unpkg · L1036
1168patternName = private_key_openssh severity = critical line = 1168 matchedText = placehol...--",
Critical
Secret Pattern

OpenSSH private key in dist/chunk-AXFO3IQH.mjs

dist/chunk-AXFO3IQH.mjsView on unpkg · L1168
README.mdView file
581patternName = generic_password severity = medium line = 581 matchedText = password...RD}"
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L581
592patternName = generic_password severity = medium line = 592 matchedText = password...RD}"
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L592
641patternName = generic_password severity = medium line = 641 matchedText = password...RD}"
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L641

Findings

5 Critical5 High7 Medium6 Low
CriticalCritical Secretdist/chunk-AXBPQRG7.js
CriticalSecret Patterndist/chunk-AXBPQRG7.js
CriticalSecret Patterndist/chunk-AXBPQRG7.js
CriticalSecret Patterndist/chunk-AXFO3IQH.mjs
CriticalSecret Patterndist/chunk-AXFO3IQH.mjs
HighChild Processbin/studio.js
HighShell
HighEntrypoint Build Divergencebin/studio.js
HighSame File Env Network Executionbin/studio.js
HighPrevious Version Dangerous Deltabin/studio.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License