registry  /  @reddoorla/maintenance  /  0.68.0

@reddoorla/maintenance@0.68.0

Canonical maintenance configs, audits, and recipes for the reddoor stack.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 87 file(s), 436 KB of source, external domains: api.github.com, api.netlify.com, content.airtable.com, developer.chrome.com, docs.renovatebot.com, github.com, images.prismic.io, player.vimeo.com, reddoor-maintenance.netlify.app, searchconsole.googleapis.com, static.cdn.prismic.io, www.googleapis.com, x.invalid

Source & flagged code

4 flagged · loading source
dist/chunk-ZO7WNY57.jsView file
104try { L105: const { code, stderr } = await spawn( L106: "npx",
High
Child Process

Package source references child process execution.

dist/chunk-ZO7WNY57.jsView on unpkg · L104
104try { L105: const { code, stderr } = await spawn( L106: "npx", ... L116: if (e.code === "ENOENT" || /ENOENT/.test(String(err))) { L117: return { ran: false, stderr: "npx unavailable" }; L118: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/chunk-ZO7WNY57.jsView on unpkg · L104
dist/chunk-YQMYQAJX.jsView file
31if (input.fleet === "airtable") { L32: const { openBase, readAirtableConfig } = await import("./client-EPVO3FEH.js"); L33: const { fromAirtableBase } = await import("./airtable-WGQQ3KAD.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-YQMYQAJX.jsView on unpkg · L31
dist/chunk-6JFOAPW4.jsView file
31launchHeading: "LAUNCHED", L32: launchBody: "Your site is live. We've set it up on the Reddoor stack with hosting, security, and automatic maintenance so it stays fast and healthy. Here's what's in place:", L33: launchSetupItems: [ ... L184: <mj-text color="${RED}" font-size="20px" font-weight="700" padding-top="${labelTop}">LIGHTHOUSE SCORES*</mj-text>${rows} L185: <mj-text color="${GREY}" font-family="helvetica, sans-serif" font-size="12px" font-weight="300" padding-top="24px" padding-bottom="${footnoteBottom}" line-height="20px">*A Lighthou... L186: </mj-column> ... L642: try { L643: parsed = JSON.parse(raw); L644: } catch { ... L795: async function uploadAttachment(recordId, fieldName, body, filename, contentType) { L796: const apiKey = process.env.AIRTABLE_PAT; L797: const baseId = process.env.AIRTABLE_BASE_ID;
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/chunk-6JFOAPW4.jsView on unpkg · L31

Findings

4 High4 Medium5 Low
HighChild Processdist/chunk-ZO7WNY57.js
HighShell
HighCredential Exfiltrationdist/chunk-6JFOAPW4.js
HighRuntime Package Installdist/chunk-ZO7WNY57.js
MediumDynamic Requiredist/chunk-YQMYQAJX.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings