registry  /  @pikku/cli  /  0.12.65

@pikku/cli@0.12.65

⚠ Under review

This package is part of @pikku/mono and is responsible for all the intropsection and file generations.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 266 file(s), 1.36 MB of source, external domains: 127.0.0.1, api.example.com, api.pikkufabric.com, app.example.com, dummy.com, example.com, paraglidejs.com, pikku.dev, pikkufabric.dev, raw.githubusercontent.com, react.dev, registry.npmjs.org, rolldown.rs, www.w3.org
Oversized source lightweight scan
console-app/assets/index-C851uJHD.js5.96 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsdummy.comparaglidejs.comreact.devrolldown.rswww.w3.org

Source & flagged code

7 flagged · loading source
dist/src/functions/db/sqlite/sqlite-runtime-node.jsView file
54async function importNodeSqlite() { L55: const dynamicImport = new Function('return import("node:sqlite")'); L56: return dynamicImport();
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/functions/db/sqlite/sqlite-runtime-node.jsView on unpkg · L54
dist/bin/pikku.jsView file
5return; L6: process.stderr.write(`${w.name}: ${w.message}\n`); L7: }); ... L11: const __filename = fileURLToPath(import.meta.url); L12: const __dirname = dirname(__filename); L13: async function checkForUpdate() { L14: if (process.env.CI || !process.stderr.isTTY) L15: return; L16: try { L17: const { version: current } = JSON.parse(readFileSync(join(__dirname, '../package.json'), 'utf-8')); L18: const res = await fetch('https://registry.npmjs.org/@pikku/cli/latest', { L19: signal: AbortSignal.timeout(3000),
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/bin/pikku.jsView on unpkg · L5
35try { L36: const { PikkuCLI } = await import(pathToFileURL(pikkuCliPath).href); L37: const updateCheck = checkForUpdate();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin/pikku.jsView on unpkg · L35
dist/src/functions/db/local-db.jsView file
153finally { L154: await client.end(); L155: } ... L267: export async function reset(resolved, rootDir) { L268: if (process.env.NODE_ENV === 'production') { L269: throw new Error(`pikku db reset refused: NODE_ENV=production. This command only runs in dev.`); ... L313: * `ColumnEntry` is optional, so the empty-per-table scaffold is valid and means L314: * "everything default `private`". Returns whether a scaffold was written. L315: */
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/src/functions/db/local-db.jsView on unpkg · L153
console-app/assets/index-C851uJHD.jsView file
path = console-app/assets/index-C851uJHD.js kind = oversized_source_file sizeBytes = 6254260 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

console-app/assets/index-C851uJHD.jsView on unpkg
dist/src/fabric/functions/validate.function.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @pikku/cli@0.12.59 matchedIdentity = npm:QHBpa2t1L2NsaQ:0.12.59 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/src/fabric/functions/validate.function.jsView on unpkg
skills/pikku-testing/references/cucumber-bdd-testing.mdView file
19patternName = generic_password severity = medium line = 19 matchedText = guest: ...' },
Medium
Secret Pattern

Hardcoded password in skills/pikku-testing/references/cucumber-bdd-testing.md

skills/pikku-testing/references/cucumber-bdd-testing.mdView on unpkg · L19

Findings

1 Critical2 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/src/fabric/functions/validate.function.js
HighSandbox Evasion Gated Capabilitydist/bin/pikku.js
HighOversized Source Fileconsole-app/assets/index-C851uJHD.js
MediumDynamic Requiredist/bin/pikku.js
MediumUnsafe Vm Contextdist/src/functions/db/local-db.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternskills/pikku-testing/references/cucumber-bdd-testing.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/src/functions/db/sqlite/sqlite-runtime-node.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings