registry  /  @s3p/cli  /  0.2.0

@s3p/cli@0.2.0

CLI for s3p — the S3-native app platform. Create, build and deploy backend-free apps on AWS S3 + Cognito + IAM.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 737 KB of source, external domains: 169.254.170.2, a.co, aws.amazon.com, cloudfront-fips.cn-northwest-1.amazonaws.com.cn, cloudfront-fips.global.api.aws, cloudfront.amazonaws.com, cloudfront.cn-northwest-1.amazonaws.com.cn, cloudfront.global.api.aws, github.com, iam-fips.global.api.aws, iam-fips.us-iso-east-1.c2s.ic.gov, iam-fips.us-isob-east-1.sc2s.sgov.gov, iam.amazonaws.com, iam.cn-north-1.amazonaws.com.cn, iam.eu-isoe-west-1.cloud.adc-e.uk, iam.eusc-de-east-1.amazonaws.eu, iam.global.api.amazonwebservices.com.cn, iam.global.api.aws, iam.us-gov.amazonaws.com, iam.us-gov.api.aws, iam.us-iso-east-1.c2s.ic.gov, iam.us-isob-east-1.sc2s.sgov.gov, iam.us-isof-south-1.csp.hci.ic.gov, portal.sso, portal.sso-fips, react-native.canny.io, s3-fips.dualstack, s3-fips.dualstack.us-east-1, s3-fips.us-east-1, s3.amazonaws.com, s3.dualstack, s3.dualstack.us-east-1, s3p.dev, www.w3.org

Source & flagged code

5 flagged · loading source
s3p.mjsView file
55`)||(l["#text"]="#text"in l?l["#text"]+g:g);for(let g of i)g.tag in l?Array.isArray(l[g.tag])?l[g.tag].push(g.value):l[g.tag]=[l[g.tag],g.value]:l[g.tag]=g.value;for(let[g,f]of Obj... L56: Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`,{tryNextLink:!1,logger:e});return t}});var q4,H4=m(()=>{"use strict";ge();MT();B4();mb();q4=(t={... L57: `),o}function pf(t){return`// Auto-generated by @s3p/cli \u2014 do not edit by hand.
High
Child Process

Package source references child process execution.

s3p.mjsView on unpkg · L55
40${Vt(i)}`}getCanonicalPath({path:e}){if(this.uriEscapePath){let o=[];for(let s of e.split("/"))s?.length!==0&&s!=="."&&(s===".."?o.pop():o.push(s));let r=`${e?.startsWith("/")?"/":... L41: `);return this.signString(S,{signingDate:r,signingRegion:u,signingService:i,eventStreamCredentials:c})}async signMessage(e,{signingDate:o=new Date,signingRegion:r,signingService:n,... L42: For more information, please visit: `+uoe);let n=t.originalExpiration??t.expiration;return{...t,...n?{originalExpiration:n}:{},expiration:r}}});var Lk,Mk=m(()=>{"use strict";wk();L... ... L55: `)||(l["#text"]="#text"in l?l["#text"]+g:g);for(let g of i)g.tag in l?Array.isArray(l[g.tag])?l[g.tag].push(g.value):l[g.tag]=[l[g.tag],g.value]:l[g.tag]=g.value;for(let[g,f]of Obj... L56: Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`,{tryNextLink:!1,logger:e});return t}});var q4,H4=m(()=>{"use strict";ge();MT();B4();mb();q4=(t={... L57: `),o}function pf(t){return`// Auto-generated by @s3p/cli \u2014 do not edit by hand.
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

s3p.mjsView on unpkg · L40
40${Vt(i)}`}getCanonicalPath({path:e}){if(this.uriEscapePath){let o=[];for(let s of e.split("/"))s?.length!==0&&s!=="."&&(s===".."?o.pop():o.push(s));let r=`${e?.startsWith("/")?"/":... L41: `);return this.signString(S,{signingDate:r,signingRegion:u,signingService:i,eventStreamCredentials:c})}async signMessage(e,{signingDate:o=new Date,signingRegion:r,signingService:n,... L42: For more information, please visit: `+uoe);let n=t.originalExpiration??t.expiration;return{...t,...n?{originalExpiration:n}:{},expiration:r}}});var Lk,Mk=m(()=>{"use strict";wk();L... ... L55: `)||(l["#text"]="#text"in l?l["#text"]+g:g);for(let g of i)g.tag in l?Array.isArray(l[g.tag])?l[g.tag].push(g.value):l[g.tag]=[l[g.tag],g.value]:l[g.tag]=g.value;for(let[g,f]of Obj... L56: Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`,{tryNextLink:!1,logger:e});return t}});var q4,H4=m(()=>{"use strict";ge();MT();B4();mb();q4=(t={... L57: `),o}function pf(t){return`// Auto-generated by @s3p/cli \u2014 do not edit by hand.
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

s3p.mjsView on unpkg · L40
6const __filename = __s3pFileURLToPath(import.meta.url); L7: const __dirname = __s3pDirname(__filename); L8: var TZ=Object.defineProperty;var m=(t,e)=>()=>(t&&(e=t(t=0)),e);var yn=(t,e)=>{for(var o in e)TZ(t,o,{get:e[o],enumerable:!0})};var df,uo,S1=m(()=>{"use strict";df={warningEmitted:... L9: versions published after the first week of January 2027 ... L14: L15: More information can be found at: https://a.co/c895JFp`))}}});function Ge(t,e,o){return t.$source||(t.$source={}),t.$source[e]=o,t}var v1=m(()=>{"use strict"});import{Readable as L... L16: `+x}catch{!o.logger||o.logger?.constructor?.name==="NoOpLogger"?console.warn(x):o.logger?.warn?.(x)}typeof f.$responseBodyText<"u"&&f.$response&&(f.$response.body=f.$responseBodyTe... L17: `).slice(0,5).filter(e=>!e.includes("stackTraceWarning")).join(` L18: `),HZ={warn:console.warn}});function Cs(t){let e=t.getUTCFullYear(),o=t.getUTCMonth(),r=t.getUTCDay(),n=t.getUTCDate(),s=t.getUTCHours(),i=t.getUTCMinutes(),c=t.getUTCSeconds(),u=n... L19: `),c){let C=o(await u);g.enqueue(`${s}:${C}\r ... L48: Set AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.`,{logger:t.logger});let c=new URL(e);cN(c,t.logger);let
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

s3p.mjsView on unpkg · L6
6const __filename = __s3pFileURLToPath(import.meta.url); L7: const __dirname = __s3pDirname(__filename); L8: var TZ=Object.defineProperty;var m=(t,e)=>()=>(t&&(e=t(t=0)),e);var yn=(t,e)=>{for(var o in e)TZ(t,o,{get:e[o],enumerable:!0})};var df,uo,S1=m(()=>{"use strict";df={warningEmitted:... L9: versions published after the first week of January 2027 ... L14: L15: More information can be found at: https://a.co/c895JFp`))}}});function Ge(t,e,o){return t.$source||(t.$source={}),t.$source[e]=o,t}var v1=m(()=>{"use strict"});import{Readable as L... L16: `+x}catch{!o.logger||o.logger?.constructor?.name==="NoOpLogger"?console.warn(x):o.logger?.warn?.(x)}typeof f.$responseBodyText<"u"&&f.$response&&(f.$response.body=f.$responseBodyTe... L17: `).slice(0,5).filter(e=>!e.includes("stackTraceWarning")).join(` L18: `),HZ={warn:console.warn}});function Cs(t){let e=t.getUTCFullYear(),o=t.getUTCMonth(),r=t.getUTCDay(),n=t.getUTCDate(),s=t.getUTCHours(),i=t.getUTCMinutes(),c=t.getUTCSeconds(),u=n... L19: `),c){let C=o(await u);g.enqueue(`${s}:${C}\r ... L48: Set AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.`,{logger:t.logger});let c=new URL(e);cN(c,t.logger);let
Low
Weak Crypto

Package source references weak cryptographic algorithms.

s3p.mjsView on unpkg · L6

Findings

4 High4 Medium5 Low
HighChild Processs3p.mjs
HighSame File Env Network Executions3p.mjs
HighCommand Output Exfiltrations3p.mjs
HighCloud Metadata Accesss3p.mjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowWeak Cryptos3p.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings