registry  /  @rensoai/code-graph  /  1.4.5

@rensoai/code-graph@1.4.5

Dependency graph analyzer for code, tests, docs, and policy surfaces. Bundles the prebuilt code_graph + code_graph-mcp binaries via per-platform sub-packages.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 4 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessFilesystem
Supply chain
UrlStrings
Manifest
NoLicense
scanned 2 file(s), 4.00 KB of source, external domains: cg.renso.ai

Source & flagged code

1 flagged · loading source
bin/code_graph-mcp.jsView file
6L7: const { spawnSync } = require("child_process"); L8: const path = require("path"); ... L35: try { L36: pkgRoot = path.dirname(require.resolve(`${pkg}/package.json`)); L37: } catch (err) { ... L39: `error: @rensoai/code-graph: platform sub-package ${pkg} not installed. ` + L40: `Install from https://cg.renso.ai/docs#install, or ensure optionalDependencies ` + L41: `are not blocked if you are maintaining the npm package.` ... L44: } L45: const ext = process.platform === "win32" ? ".exe" : ""; L46: const candidate = path.join(pkgRoot, "bin", `code_graph-mcp${ext}`);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/code_graph-mcp.jsView on unpkg · L6

Findings

1 High3 Low
HighSandbox Evasion Gated Capabilitybin/code_graph-mcp.js
LowFilesystem
LowUrl Strings
LowNo License