Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcesrc/update.jsView file
1import fs from 'node:fs';
L2: import { spawn } from 'node:child_process';
L3: import { config } from './config.js';
...
L9: try {
L10: return JSON.parse(fs.readFileSync(new URL('../package.json', import.meta.url), 'utf8')).version;
L11: } catch {
...
L29: try {
L30: const r = await fetch(`https://registry.npmjs.org/${NAME}/latest`, { signal: ctrl.signal });
L31: if (!r.ok) return null;
...
L53: export function runUpdate({ background = false } = {}) {
L54: const isWin = process.platform === 'win32';
L55: const cmd = isWin ? 'npm.cmd' : 'npm';
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/update.jsView on unpkg · L1Findings
1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitysrc/update.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings