registry  /  @mettlecast/domain-cli  /  0.2.72

@mettlecast/domain-cli@0.2.72

⚠ Under review

Local developer toolchain for TIB Domain Module projects. Provides build, validate, test, and dev subcommands.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 190 file(s), 1002 KB of source, external domains: api.github.com, lambda-power-tuning.show, mc-scaffold.s3.amazonaws.com

Source & flagged code

4 flagged · loading source
dist/commands/reseed-page.jsView file
2import { join, resolve, dirname } from 'node:path'; L3: import { execSync } from 'node:child_process'; L4: import { createGunzip } from 'node:zlib';
High
Child Process

Package source references child process execution.

dist/commands/reseed-page.jsView on unpkg · L2
dist/server/mount-routes.jsView file
27const fastifyPath = toFastifyPath(exposure.path); L28: const mod = await import(handlerAbsPath); L29: const def = Object.values(mod).find(v => v && typeof v === 'object' && v['id'] === action.id);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/server/mount-routes.jsView on unpkg · L27
dist/commands/init.jsView file
5* L6: * Usage: npx mc-domain-module init L7: */ L8: import { execSync } from 'node:child_process'; L9: import { existsSync } from 'node:fs';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/init.jsView on unpkg · L5
dist/commands/doctor.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @mettlecast/domain-cli@0.2.67 matchedIdentity = npm:QG1ldHRsZWNhc3QvZG9tYWluLWNsaQ:0.2.67 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/doctor.jsView on unpkg

Findings

1 Critical3 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/commands/doctor.js
HighChild Processdist/commands/reseed-page.js
HighShell
HighRuntime Package Installdist/commands/init.js
MediumDynamic Requiredist/server/mount-routes.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License