registry  /  @oclif/plugin-test-esbuild  /  0.5.161

@oclif/plugin-test-esbuild@0.5.161

Bundled plugin for testing

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 470 KB of source, external domains: codeload.github.com, developer.mozilla.org, gist.githubusercontent.com, github.com, jsperf.com, registry.npmjs.org, stackoverflow.com
Oversized source lightweight scan
dist/chunk-T2I5QBUT.js10.0 MB file, sampled 256 KB
ChildProcessEnvironmentVarsEvalHighEntropyStringsUrlStringsdeveloper.mozilla.orggithub.comjsperf.comstackoverflow.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
121var import_semver = __toESM(require_semver(), 1); L122: import { spawn as spawn2 } from "node:child_process"; L123: import { access, mkdir, readFile as readFile2, rename, rm, writeFile } from "node:fs/promises";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L121
218windowsVerbatimArguments: true, L219: ...process.platform === "win32" && modulePath.toLowerCase().endsWith(".cmd") && { shell: true } L220: });
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L218
121Cross-file remote execution chain: dist/index.js spawns dist/npa-L34VQLAA.js; helper contains network access plus dynamic code execution. L121: var import_semver = __toESM(require_semver(), 1); L122: import { spawn as spawn2 } from "node:child_process"; L123: import { access, mkdir, readFile as readFile2, rename, rm, writeFile } from "node:fs/promises"; ... L150: const { L151: env = process.env, L152: platform = process.platform L153: } = options; ... L221: const possibleLastLinesOfNpmInstall = ["up to date", "added"]; L222: const stderr = []; L223: const stdout = []; ... L310: * Get the path to the npm CLI file. L311: * This will resolve npm to the pinned version in `@oclif/plugin-plugins/package.json` if it exists.
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L121
dist/chunk-T2I5QBUT.jsView file
path = dist/chunk-T2I5QBUT.js kind = oversized_source_file sizeBytes = 10508451 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/chunk-T2I5QBUT.jsView on unpkg

Findings

4 High3 Medium6 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighCross File Remote Execution Contextdist/index.js
HighOversized Source Filedist/chunk-T2I5QBUT.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings