registry  /  @pagenary/publisher  /  2026.7.13

@pagenary/publisher@2026.7.13

⚠ Under review

Multi-tenant documentation static site generator with Markdown, search, SEO snapshots, and docs-as-code publishing.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
CopyleftLicense
scanned 220 file(s), 1.54 MB of source, external domains: 127.0.0.1, api.example.com, app.raindrop.io, bsky.app, community.example, discord.gg, docs.acme.com, docs.aiwg.io, docs.example.com, docs.fortemi.com, docs.pagenary.com, docs.roko.network, esm.sh, example.com, fosstodon.org, getpocket.com, git.integrolabs.net, github.com, lemmy.world, llmstxt.org, lobste.rs, mastodon.social, misskey.io, my-docs.local, news.ycombinator.com, nodejs.org, pinboard.in, player.vimeo.com, schema.org, slashdot.org, support.example.com, t.me, tally.so, teams.microsoft.com, trello.com, twitter.com, vimeo.com, wa.me, www.facebook.com, www.instapaper.com, www.linkedin.com, www.notion.so, www.pinterest.com, www.producthunt.com, www.reddit.com, www.sitemaps.org, www.threads.net, www.tumblr.com, www.w3.org, www.youtube-nocookie.com

Source & flagged code

3 flagged · loading source
scripts/build.jsView file
7L8: const require = createRequire(import.meta.url); L9: const root = process.cwd();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/build.jsView on unpkg · L7
scripts/lib/frontmatter.jsView file
25contains invisible/control Unicode U+FEFF (zero width no-break space) const match = text.match(/^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/);
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

scripts/lib/frontmatter.jsView on unpkg · L25
scripts/build-tenants.jsView file
5Cross-file remote execution chain: scripts/build-tenants.js spawns scripts/lib/seo-generator.js; helper contains network access plus dynamic code execution. L5: import path from 'path'; L6: import { spawn, execSync } from 'child_process'; L7: import { createHash } from 'crypto'; ... L36: L37: const root = process.cwd(); L38: // The package's own directory (this file lives at <pkg>/scripts/build-tenants.js). ... L79: // Git options L80: cacheDir: process.env.GIT_CACHE_DIR || null, L81: keepCache: false, ... L207: GIT_TERMINAL_PROMPT Set to 0 to disable interactive git prompts (recommended for CI) L208: GIT_SSH_COMMAND Custom SSH command (e.g., "ssh -i ~/.ssh/deploy_key") L209: GIT_CREDENTIALS HTTPS credentials in "username:token" format (not logged)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/build-tenants.jsView on unpkg · L5

Findings

1 Critical3 High4 Medium6 Low
CriticalTrojan Source Unicodescripts/lib/frontmatter.js
HighChild Process
HighShell
HighCross File Remote Execution Contextscripts/build-tenants.js
MediumDynamic Requirescripts/build.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License