Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
3 flagged · loading sourcetests/e2e/switch-react-version.jsView file
6const fs = require('fs');
L7: const { execSync } = require('child_process');
L8:
High
Child Process
Package source references child process execution.
tests/e2e/switch-react-version.jsView on unpkg · L648function runInstallCommand() {
L49: execSync('pnpm install --no-frozen-lockfile', { stdio: 'inherit' });
L50: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
tests/e2e/switch-react-version.jsView on unpkg · L48build/lib/dom-util.jsView file
39package = @rebilly/framepay-react; repositoryIdentity = rebilly; dependency = @rebilly/framepay
L39: exports.injectScript = void 0;
L40: var framepay_1 = require("@rebilly/framepay");
L41: var injectScript = function (_a) { return __awaiter(void 0, [_a], void 0, function (_b) {
High
Copied Package Dependency Bridge
Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
build/lib/dom-util.jsView on unpkg · L39Findings
4 High3 Medium4 Low
HighChild Processtests/e2e/switch-react-version.js
HighShell
HighCopied Package Dependency Bridgebuild/lib/dom-util.js
HighRuntime Package Installtests/e2e/switch-react-version.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings