registry  /  @oh-my-roadmap/core  /  1.1.1

@oh-my-roadmap/core@1.1.1

Shared core for oh-my-roadmap: project config, agent-definition generation, and roadmap state store.

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 53 file(s), 395 KB of source, external domains: registry.npmjs.org

Source & flagged code

2 flagged · loading source
src/cli/install.tsView file
1import {spawn} from 'node:child_process' L2: import * as fs from 'node:fs/promises'
High
Child Process

Package source references child process execution.

src/cli/install.tsView on unpkg · L1
src/cli/update.tsView file
94L95: // The CLI self-update: `npm install -g @oh-my-roadmap/cli@<version>`. Injected in tests. L96: export type CliUpdateRunner = (version: string) => Promise<void>; ... L99: new Promise((resolve, reject) => { L100: const child = spawn('npm', ['install', '-g', `${CLI_PACKAGE}@${version}`], {stdio: 'inherit'}) L101: child.on('error', reject)
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/cli/update.tsView on unpkg · L94

Findings

3 High3 Medium3 Low
HighChild Processsrc/cli/install.ts
HighShell
HighRuntime Package Installsrc/cli/update.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings