registry  /  @neat.is/core  /  0.4.23

@neat.is/core@0.4.23

NEAT graph engine: tree-sitter extraction, OTel ingest, REST API

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 1.79 MB of source, external domains: 127.0.0.1, registry.npmjs.org

Source & flagged code

8 flagged · loading source
dist/chunk-O25KZNZK.jsView file
6266import path37 from "path"; L6267: import { spawn } from "child_process"; L6268: var LOCKFILE_PRIORITY = [
High
Child Process

Package source references child process execution.

dist/chunk-O25KZNZK.jsView on unpkg · L6266
3466} L3467: async function resolveJsImport(specifier, importerDir, serviceDir, tsPaths) { L3468: if (!specifier) return null;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-O25KZNZK.jsView on unpkg · L3466
dist/neatd.jsView file
78// ESM fallback — daemon CJS bundle has `require`, but typecheck wants this L79: eval("require") L80: );
High
Eval

Package source references dynamic code evaluation.

dist/neatd.jsView on unpkg · L78
20// src/web-spawn.ts L21: import { spawn } from "child_process"; L22: import { promises as fsp } from "fs"; L23: import net from "net"; L24: import path from "path"; ... L31: function projectRoot() { L32: const fromEnv = process.env.NEAT_SCAN_PATH; L33: return path.resolve(fromEnv && fromEnv.length > 0 ? fromEnv : process.cwd());
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/neatd.jsView on unpkg · L20
dist/chunk-XOOCA5T7.jsView file
61function ollamaHost() { L62: return process.env.OLLAMA_HOST ?? null; L63: } ... L65: try { L66: const res = await fetch(`${host.replace(/\/$/, "")}/api/tags`, { L67: signal: AbortSignal.timeout(500) ... L85: headers: { "content-type": "application/json" }, L86: body: JSON.stringify({ model, prompt: text }) L87: }); ... L90: } L91: const data = await res.json(); L92: out.push(Float32Array.from(data.embedding));
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/chunk-XOOCA5T7.jsView on unpkg · L61
dist/cli.jsView file
66Cross-file remote execution chain: dist/cli.js spawns dist/neatd.js; helper contains network access plus dynamic code execution. L66: import { L67: __dirname, L68: __require, ... L85: const candidates = [ L86: path.resolve(here, "../package.json"), L87: path.resolve(here, "../../package.json") ... L91: const raw = readFileSync(candidate, "utf8"); L92: const parsed = JSON.parse(raw); L93: if (parsed.name === "@neat.is/core" && typeof parsed.version === "string") { ... L153: "for prod OTel routing, set these in your deploy platform's env:", L154: " OTEL_EXPORTER_OTLP_ENDPOINT=https://<your-neat-host>:4318", L155: " OTEL_EXPORTER_OTLP_HEADERS=Authorization=Bearer <NEAT_AUTH_TOKEN>"
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L66
66import { L67: __dirname, L68: __require, ... L85: const candidates = [ L86: path.resolve(here, "../package.json"), L87: path.resolve(here, "../../package.json") ... L91: const raw = readFileSync(candidate, "utf8"); L92: const parsed = JSON.parse(raw); L93: if (parsed.name === "@neat.is/core" && typeof parsed.version === "string") { ... L153: "for prod OTel routing, set these in your deploy platform's env:", L154: " OTEL_EXPORTER_OTLP_ENDPOINT=https://<your-neat-host>:4318", L155: " OTEL_EXPORTER_OTLP_HEADERS=Authorization=Bearer <NEAT_AUTH_TOKEN>"
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L66
dist/cli.cjsView file
56Detached bundled service listener: dist/cli.cjs launches a Node helper and exposes a broad-bound HTTP listener. L56: if (opts.trustProxy) return; L57: const expected = Buffer.from(opts.token, "utf8"); L58: const suffixes = [...DEFAULT_UNAUTH_SUFFIXES, ...opts.extraUnauthenticatedSuffixes ?? []]; ... L73: if (typeof header !== "string" || !header.startsWith("Bearer ")) { L74: void reply.code(401).send({ error: "unauthorized" }); L75: return; ... L88: } L89: function readAuthEnv(env = process.env) { L90: const t = env.NEAT_AUTH_TOKEN; ... L643: function readPackageVersion() { L644: const here = typeof __dirname !== "undefined" ? __dirname : import_node_path.default.dirname((0, import_node_url.fileURLToPath)(importMetaUrl)); L645: const candidates = [
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/cli.cjsView on unpkg · L56

Findings

6 High5 Medium6 Low
HighChild Processdist/chunk-O25KZNZK.js
HighShell
HighEvaldist/neatd.js
HighSame File Env Network Executiondist/neatd.js
HighCross File Remote Execution Contextdist/cli.js
HighSpawned Bundled Service Listenerdist/cli.cjs
MediumDynamic Requiredist/chunk-O25KZNZK.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/chunk-XOOCA5T7.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings