registry  /  @rspack-canary/browser  /  2.1.3-canary-75752ca1-20260705175236

@rspack-canary/browser@2.1.3-canary-75752ca1-20260705175236

Rspack for running in the browser. This is still in early stage and may not follow the semver.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 1.62 MB of source, external domains: feross.org, rspack.rs
Oversized source lightweight scan
dist/index.js3.06 MB file, sampled 256 KB
FilesystemEnvironmentVarsEvalDynamicRequireHighEntropyStringsUrlStringsrspack.rs

Source & flagged code

4 flagged · loading source
dist/612.jsView file
42try { L43: return this || new Function('return this')(); L44: } catch (e) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/612.jsView on unpkg · L42
dist/wasi-worker-browser.mjsView file
99process.browser = true; L100: process.env = {}; L101: process.argv = []; ... L178: var stackBuffer = buffer.slice(16 + nameLength + messageLength, 16 + nameLength + messageLength + stackLength); L179: var name = new TextDecoder().decode(nameBuffer); L180: var message = new TextDecoder().decode(messageBuffer); ... L377: null == (_b = (_a = worker).onmessage) || _b.call(_a, { L378: data: data L379: }); ... L697: this.setup(instance, module, memory); L698: var exitCode = this.wasi.start(instance); L699: return {
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/wasi-worker-browser.mjsView on unpkg · L99
dist/rspack.wasm32-wasi.wasmView file
path = dist/rspack.wasm32-wasi.wasm kind = wasm_module sizeBytes = 28916566 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/rspack.wasm32-wasi.wasmView on unpkg
dist/index.jsView file
path = dist/index.js kind = oversized_source_file sizeBytes = 3203568 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.jsView on unpkg

Findings

2 High5 Medium5 Low
HighObfuscated Payload Loaderdist/wasi-worker-browser.mjs
HighOversized Source Filedist/index.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduledist/rspack.wasm32-wasi.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/612.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings