registry  /  @patchstack/connect  /  0.3.10

@patchstack/connect@0.3.10

Patchstack connector for JavaScript applications. Scans your lockfile and reports installed packages to Patchstack for vulnerability monitoring.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 239 KB of source, external domains: api.patchstack.com, cdn.patchstack.com, patchstack.com

Source & flagged code

2 flagged · loading source
dist/protect.cjsView file
30// src/protect/engine/client.js L31: var DEFAULT_BASE_URL = "https://api.patchstack.com"; L32: var DEFAULT_CACHE_TTL = 3e5; ... L39: constructor({ token, baseUrl, cacheTtl } = {}) { L40: this.#token = token ?? process.env.PATCHSTACK_WAF_TOKEN; L41: this.#baseUrl = baseUrl ?? process.env.PATCHSTACK_WAF_API_URL ?? DEFAULT_BASE_URL; ... L61: }, L62: body: JSON.stringify({}), L63: signal: AbortSignal.timeout(3e4) ... L73: } L74: const data = await response.json(); L75: const result = {
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/protect.cjsView on unpkg · L30
dist/index.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @patchstack/connect@0.3.6 matchedIdentity = npm:QHBhdGNoc3RhY2svY29ubmVjdA:0.3.6 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.cjsView on unpkg

Findings

2 High3 Medium5 Low
HighCloud Metadata Accessdist/protect.cjs
HighPrevious Version Dangerous Deltadist/index.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings