registry  /  @rspack-canary/core  /  2.1.3-canary-7caa6eff-20260703032940

@rspack-canary/core@2.1.3-canary-7caa6eff-20260703032940

Fast Rust-based bundler for the web with a modernized webpack API

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 1.03 MB of source, external domains: github.com, rspack.rs

Source & flagged code

4 flagged · loading source
compiled/tinypool/dist/utils-B--2TaWv.jsView file
5function getImportESM() { L6: if (importESMCached === void 0) importESMCached = new Function("specifier", "return import(specifier)"); L7: return importESMCached;
Low
Eval

Package source references a known benign dynamic code generation pattern.

compiled/tinypool/dist/utils-B--2TaWv.jsView on unpkg · L5
dist/worker.jsView file
8import node_path from "node:path"; L9: let __rspack_createRequire_require = __rspack_createRequire(import.meta.url); L10: var swc_namespaceObject = {};
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/worker.jsView on unpkg · L8
dist/index.jsView file
15for(; idx >= 0;){ L16: let char = path.charCodeAt(idx); L17: if (47 === char || 92 === char) break; ... L331: }(); L332: let binding_namespaceObject = __rspack_createRequire_require(process.env.RSPACK_BINDING ? process.env.RSPACK_BINDING : "@rspack/binding"); L333: var binding_default = __webpack_require__.n(binding_namespaceObject); ... L1549: } L1550: exec(param, callback) { L1551: this.#isRunning || (queueMicrotask(()=>this.#exec_internal()), this.#isRunning = !0), this.#params.push(param), this.#callbacks.push(callback); ... L2947: let env = process.env ?? {}, argv = process.argv ?? []; L2948: return !('NO_COLOR' in env || argv.includes('--no-color')) && ('FORCE_COLOR' in env || argv.includes('--color') || 'win32' === process.platform || process.stdout?.isTTY && 'dumb' !... L2949: }
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L15
15for(; idx >= 0;){ L16: let char = path.charCodeAt(idx); L17: if (47 === char || 92 === char) break; ... L331: }(); L332: let binding_namespaceObject = __rspack_createRequire_require(process.env.RSPACK_BINDING ? process.env.RSPACK_BINDING : "@rspack/binding"); L333: var binding_default = __webpack_require__.n(binding_namespaceObject); ... L1549: } L1550: exec(param, callback) { L1551: this.#isRunning || (queueMicrotask(()=>this.#exec_internal()), this.#isRunning = !0), this.#params.push(param), this.#callbacks.push(callback); ... L2947: let env = process.env ?? {}, argv = process.argv ?? []; L2948: return !('NO_COLOR' in env || argv.includes('--no-color')) && ('FORCE_COLOR' in env || argv.includes('--color') || 'win32' === process.platform || process.stdout?.isTTY && 'dumb' !... L2949: }
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/index.jsView on unpkg · L15

Findings

1 High5 Medium5 Low
HighObfuscated Payload Loaderdist/index.js
MediumDynamic Requiredist/worker.js
MediumUnsafe Vm Contextdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalcompiled/tinypool/dist/utils-B--2TaWv.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings