registry  /  @rtorcato/js-tooling  /  2.29.2

@rtorcato/js-tooling@2.29.2

JavaScript and TypeScript tooling for Node.js, React, Next.js, and Vitest.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 47 file(s), 235 KB of source, external domains: biomejs.dev, bundlephobia.com, codecov.io, conventionalcommits.org, docs.github.com, docs.renovatebot.com, github.com, gitlab.com, img.shields.io, json-schema.org, nodejs.org, opensource.org, registry.npmjs.org, rtorcato.github.io, unpkg.com, www.conventionalcommits.org, www.npmjs.com

Source & flagged code

3 flagged · loading source
tooling/tests/ssr-safety.mjsView file
10* For each folder under `srcDir` (excluding `excludeDirs`), the helper resolves L11: * `<srcDir>/<name>/<moduleEntry>` and `await import(...)` it. If the import L12: * throws or the module accesses a missing global at top level, the test fails.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

tooling/tests/ssr-safety.mjsView on unpkg · L10
tooling/playwright/playwright.config.mjsView file
5Manifest entrypoint (manifest.exports) carries capability families absent from dist/build output: environment+network L5: fullyParallel: true, L6: forbidOnly: !!process.env.CI, L7: retries: process.env.CI ? 2 : 0, ... L10: use: { L11: baseURL: process.env.PLAYWRIGHT_BASE_URL ?? 'http://localhost:3000', L12: trace: 'on-first-retry',
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

tooling/playwright/playwright.config.mjsView on unpkg · L5
tooling/semantic-release/index.mjsView file
11], L12: repositoryUrl: `https://gitlab-ci-token:${process.env.GITLAB_TOKEN}@gitlab.com/${process.env.CI_PROJECT_NAMESPACE}/${process.env.CI_PROJECT_NAME}.git`, L13: plugins: [ ... L43: { L44: assets: ['dist/*.js', 'dist/*.js.map', 'CHANGELOG.md', 'package.json', 'README.md'], L45: message: 'chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}', ... L54: ], L55: // npm publishing is opt-in via NPM_TOKEN: a repo that provides the token L56: // publishes; one that doesn't (GitLab releases only) gets a green release
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

tooling/semantic-release/index.mjsView on unpkg · L11

Findings

2 High3 Medium5 Low
HighEntrypoint Build Divergencetooling/playwright/playwright.config.mjs
HighSandbox Evasion Gated Capabilitytooling/semantic-release/index.mjs
MediumDynamic Requiretooling/tests/ssr-safety.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings