registry  /  @metasession.co/devaudit-cli  /  0.3.11

@metasession.co/devaudit-cli@0.3.11

⚠ Under review

DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 165 KB of source, external domains: api.github.com, devaudit.metasession.co, github.com, www.conventionalcommits.org

Source & flagged code

6 flagged · loading source
sdlc/src/bin/devaudit-sdlc.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @metasession.co/devaudit-cli@0.3.9 matchedIdentity = npm:[redacted]:0.3.9 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

sdlc/src/bin/devaudit-sdlc.jsView on unpkg
3const path = require('path'); L4: const { spawnSync } = require('child_process'); L5:
High
Child Process

Package source references child process execution.

sdlc/src/bin/devaudit-sdlc.jsView on unpkg · L3
dist/index.jsView file
3import { createConsola } from 'consola'; L4: import { execa } from 'execa'; L5: import { join, resolve, basename, dirname, relative } from 'path';
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L3
1782} L1783: await execa("npx", ["husky", "init"], { cwd: ctx.projectPath, stdio: "inherit" }); L1784: return { step: "8/11 Bootstrap hook framework", status: "ok", message: ".husky/ bootstrapped" };
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L1782
79const mainPath = resolve(dir, result.main); L80: const mod = await import(toFileUrl(mainPath)); L81: if (!mod.default || typeof mod.default !== "object") {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L79
scripts/upload-evidence.shView file
path = scripts/upload-evidence.sh kind = build_helper sizeBytes = 24845 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/upload-evidence.shView on unpkg

Findings

1 Critical3 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltasdlc/src/bin/devaudit-sdlc.js
HighChild Processsdlc/src/bin/devaudit-sdlc.js
HighShelldist/index.js
HighRuntime Package Installdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/upload-evidence.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings