registry  /  @objectstack/console  /  11.5.0

@objectstack/console@11.5.0

⚠ Under review

Prebuilt Console SPA pinned to this @objectstack/framework release. Source of truth: @object-ui/console (https://github.com/objectstack-ai/objectui).

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 481 file(s), 23.3 MB of source, external domains: api.qrserver.com, bit.ly, cdn.jsdelivr.net, chevrotain.io, cloud.objectos.app, demotiles.maplibre.org, docs.sentry.io, en.wikipedia.org, example.com, github.com, grainy-gradients.vercel.app, json-schema.org, langium.org, o447951.ingest.sentry.io, react.dev, reactrouter.com, redux-toolkit.js.org, redux.js.org, rolldown.rs, schemas.openxmlformats.org, sentry.io, spotlightjs.com, stuk.github.io, www.google.com, www.ibm.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/assets/vendor-objectstack-AFc_0VfZ.jsView file
7`;)this.pos++;continue}return this.token(this.pos++,f.DIVIDE);case`%`:return this.token(this.pos++,f.MODULO);case`<`:return t[e+1]===`=`?this.token((this.pos+=2)-2,f.LE):this.token... L8: `:case`\r`:throw s(`newline_in_string`,`Newlines not allowed in single-quoted strings`,{pos:o,start:o,end:o+1,input:n});case`\\`:o++}o++}throw s(`unterminated_string`,`Unterminated... L9: `).filter(e=>e),n=Math.min(...t.map(e=>e.length-e.trimStart().length)),r=t.map(e=>e.slice(n)).map(e=>` `.repeat(this.indent*2)+e);for(let e of r)this.content.push(e)}compile(){let ...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/assets/vendor-objectstack-AFc_0VfZ.jsView on unpkg · L7
dist/assets/jsx-C97fCUqH.jsView file
1import{r as e}from"./rolldown-runtime-DAXXjFlN.js";var t=e({default:()=>n}),n=[Object.freeze(JSON.parse(`{"displayName":"JSX","name":"jsx","patterns":[{"include":"#directives"},{"i...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/assets/jsx-C97fCUqH.jsView on unpkg · L1
dist/assets/chunk-KEIR6QF5-MVybfwhZ.jsView file
46contains invisible/control Unicode U+FEFF (zero width no-break space) \r \v \xA0            \u2028\u2029   <U+FEFF>`.split(``);function Da(e){let t=typeof e==`string`?new RegExp(e):e;return Ea.some(e=>t.test(e))}o(Da,`isWhitespace`);function Oa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}o(Oa,`escapeReg
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/assets/chunk-KEIR6QF5-MVybfwhZ.jsView on unpkg · L46

Findings

1 Critical5 Medium5 Low
CriticalTrojan Source Unicodedist/assets/chunk-KEIR6QF5-MVybfwhZ.js
MediumDynamic Requiredist/assets/jsx-C97fCUqH.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowEvaldist/assets/vendor-objectstack-AFc_0VfZ.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings