registry  /  @lightdash/cli  /  0.3292.0

@lightdash/cli@0.3292.0

⚠ Under review

Lightdash CLI tool

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 104 file(s), 574 KB of source, external domains: analytics.lightdash.com, api.github.com, app.lightdash.cloud, bucket.s3.amazonaws.com, custom.domain.com, custom.lightdash.domain, docs.getdbt.com, docs.lightdash.com, eu1.lightdash.cloud, example.com, github.com, lightdash.domain.com, raw.githubusercontent.com

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = bash track.sh completed || echo 'skipping postinstall'
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = bash track.sh started || echo 'skipping preinstall'
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts.postinstall = bash track.sh completed || echo 'skipping postinstall'
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/dbt/targets/redshift.jsView file
128patternName = generic_password severity = medium line = 128 matchedText = throw ne..."`);
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/dbt/targets/redshift.jsView on unpkg · L128
dist/dbt/schema.jsView file
3package = @lightdash/cli; repositoryIdentity = lightdash; dependency = @lightdash/common L3: exports.searchForModel = void 0; L4: const common_1 = require("@lightdash/common"); L5: const fs_1 = require("fs");
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/dbt/schema.jsView on unpkg · L3
dist/vendor/template/scripts/bootstrap.shView file
path = [redacted].sh kind = build_helper sizeBytes = 554 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/vendor/template/scripts/bootstrap.shView on unpkg
dist/dbt/manifest.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @lightdash/cli@0.3274.1 matchedIdentity = npm:QGxpZ2h0ZGFzaC9jbGk:0.3274.1 similarity = 0.955 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/dbt/manifest.jsView on unpkg
dist/dbt/targets/postgres.jsView file
119patternName = generic_password severity = medium line = 119 matchedText = throw ne..."`);
Medium
Secret Pattern

Hardcoded password in dist/dbt/targets/postgres.js

dist/dbt/targets/postgres.jsView on unpkg · L119

Findings

1 Critical2 High8 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/dbt/manifest.js
HighInstall Time Lifecycle Scriptspackage.json
HighCopied Package Dependency Bridgedist/dbt/schema.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patterndist/dbt/targets/redshift.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdist/vendor/template/scripts/bootstrap.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/dbt/targets/postgres.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings