registry  /  @objectstack/console  /  12.0.0

@objectstack/console@12.0.0

⚠ Under review

Prebuilt Console SPA pinned to this @objectstack/framework release. Source of truth: @object-ui/console (https://github.com/objectstack-ai/objectui).

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 481 file(s), 24.0 MB of source, external domains: api.qrserver.com, app.example.com, bit.ly, cdn.jsdelivr.net, chevrotain.io, cloud.objectos.app, demotiles.maplibre.org, docs.sentry.io, en.wikipedia.org, example.com, github.com, grainy-gradients.vercel.app, json-schema.org, langium.org, mystorageaccount.blob.core.windows.net, o447951.ingest.sentry.io, react.dev, reactrouter.com, redux-toolkit.js.org, redux.js.org, rolldown.rs, schemas.openxmlformats.org, sentry.io, spotlightjs.com, stuk.github.io, www.google.com, www.ibm.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/assets/src-BvIm_4jD.jsView file
133`);return i===-1&&(i=r.length,r+=` L134: `),{code:r.slice(0,i+1)+e+r.slice(i+1)+t,mappings:this.shiftMappings(n.mappings,e.length)}}else return{code:e+r+t,mappings:this.shiftMappings(n.mappings,e.length)}}processBalancedC... L135: `,n=`\r`;e.LinesAndColumns=function(){function e(e){this.string=e;for(var r=[0],i=0;i<e.length;)switch(e[i]){case t:i+=t.length,r.push(i);break;case n:i+=n.length,e[i]===t&&(i+=t.l...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/assets/src-BvIm_4jD.jsView on unpkg · L133
dist/assets/jsx-C97fCUqH.jsView file
1import{r as e}from"./rolldown-runtime-DAXXjFlN.js";var t=e({default:()=>n}),n=[Object.freeze(JSON.parse(`{"displayName":"JSX","name":"jsx","patterns":[{"include":"#directives"},{"i...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/assets/jsx-C97fCUqH.jsView on unpkg · L1
dist/assets/chunk-KEIR6QF5-MVybfwhZ.jsView file
46contains invisible/control Unicode U+FEFF (zero width no-break space) \r \v \xA0            \u2028\u2029   <U+FEFF>`.split(``);function Da(e){let t=typeof e==`string`?new RegExp(e):e;return Ea.some(e=>t.test(e))}o(Da,`isWhitespace`);function Oa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}o(Oa,`escapeReg
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/assets/chunk-KEIR6QF5-MVybfwhZ.jsView on unpkg · L46

Findings

1 Critical5 Medium5 Low
CriticalTrojan Source Unicodedist/assets/chunk-KEIR6QF5-MVybfwhZ.js
MediumDynamic Requiredist/assets/jsx-C97fCUqH.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowEvaldist/assets/src-BvIm_4jD.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings