registry  /  @plugdev/cli  /  0.8.0

@plugdev/cli@0.8.0

plug / plugdev — npm run dev for Minecraft plugins

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 194 KB of source, external domains: adoptium.net, api.modrinth.com, fill.papermc.io, github.com, hangar.papermc.io, piston-meta.mojang.com

Source & flagged code

6 flagged · loading source
dist/cli.jsView file
1158package = @plugdev/cli; repositoryIdentity = plugdev; dependency = @xmcl/core L1158: try { L1159: const { diagnose } = await import("@xmcl/core"); L1160: const report = await diagnose(mcVersion, embeddedClientDir());
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/cli.jsView on unpkg · L1158
matchType = previous_version_dangerous_delta matchedPackage = @plugdev/cli@0.7.6 matchedIdentity = npm:QHBsdWdkZXYvY2xp:0.7.6 similarity = 0.909 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
6formatErrorJson, L7: getExitCode L8: } from "./chunk-ANYMKJPX.js"; ... L232: if (!schemaRaw) return void 0; L233: const schema = JSON.parse(schemaRaw); L234: const ajv = new Ajv2020({ allErrors: true, strict: false }); ... L345: // src/util/tools.ts L346: import { execa } from "execa"; L347: import { join as join3 } from "path"; ... L371: async function checkGradle(cwd) { L372: const gradlew = process.platform === "win32" ? "gradlew.bat" : "gradlew"; L373: const path = join3(cwd, gradlew);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli.jsView on unpkg · L6
bootstrap/plugdev-bootstrap-paper.jarView file
path = bootstrap/plugdev-bootstrap-paper.jar kind = high_entropy_blob sizeBytes = 12606 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

bootstrap/plugdev-bootstrap-paper.jarView on unpkg
path = bootstrap/plugdev-bootstrap-paper.jar kind = compressed_blob sizeBytes = 12606 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

bootstrap/plugdev-bootstrap-paper.jarView on unpkg
path = bootstrap/plugdev-bootstrap-paper.jar kind = nested_archive_needs_inspection sizeBytes = 12606 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

bootstrap/plugdev-bootstrap-paper.jarView on unpkg

Findings

3 High4 Medium7 Low
HighCopied Package Dependency Bridgedist/cli.js
HighShips High Entropy Blobbootstrap/plugdev-bootstrap-paper.jar
HighPrevious Version Dangerous Deltadist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobbootstrap/plugdev-bootstrap-paper.jar
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionbootstrap/plugdev-bootstrap-paper.jar