registry  /  @lmnr-ai/lmnr  /  0.8.38

@lmnr-ai/lmnr@0.8.38

⚠ Under review

TypeScript SDK for Laminar AI

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 1.80 MB of source, external domains: 127.0.0.1, aiplatform.googleapis.com, api.anthropic.com, api.lmnr.ai, esbuild.github.io, evilmartians.com, www.laminar.sh, www.w3ctech.com

Source & flagged code

4 flagged · loading source
dist/index.cjsView file
21let _traceloop_instrumentation_together = require("@traceloop/instrumentation-together"); L22: let node_child_process = require("node:child_process"); L23: let node_crypto = require("node:crypto");
High
Child Process

Package source references child process execution.

dist/index.cjsView on unpkg · L21
21Cross-file remote execution chain: dist/index.cjs spawns dist/dist-DGDsKbQ8.cjs; helper contains network access plus dynamic code execution. L21: let _traceloop_instrumentation_together = require("@traceloop/instrumentation-together"); L22: let node_child_process = require("node:child_process"); L23: let node_crypto = require("node:crypto"); ... L27: fs = require_rolldown_runtime.__toESM(fs); L28: let net = require("net"); L29: net = require_rolldown_runtime.__toESM(net); ... L168: ...part, L169: data: part.data instanceof Uint8Array ? [redacted](part.data) : part.data && typeof part.data === "object" && part.data.type === "data" && part.data.data inst... L170: ...part.data, ... L497: */ L498: const readDebugSessionFile = (dir = process.cwd()) => { L499: try {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.cjsView on unpkg · L21
dist/cli.cjsView file
194const __dirname = require_dist.getDirname(); L195: new Function("require", "module", "__filename", "__dirname", moduleText)(require, module, __filename, __dirname); L196: return globalThis._evaluations;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli.cjsView on unpkg · L194
dist/index.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @lmnr-ai/lmnr@0.8.37 matchedIdentity = npm:QGxtbnItYWkvbG1ucg:0.8.37 similarity = 0.714 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.mjsView on unpkg

Findings

1 Critical3 High2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.mjs
HighChild Processdist/index.cjs
HighShell
HighCross File Remote Execution Contextdist/index.cjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/cli.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings