registry  /  @sanity/cli  /  7.4.2

@sanity/cli@7.4.2

Sanity CLI tool for managing Sanity projects and organizations

Static Scan Results

scanned 15d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 642 file(s), 1.31 MB of source, external domains: 192.168.1.1, admin.shopify.com, api.github.com, api.sanity.io, codeload.github.com, esbuild.github.io, example.com, github.com, high-traffic-site.com, mcp.sanity.io, myapp.com, nextjs.org, not.what-you-were-expecting.com, public.sanity.io, raw.githubusercontent.com, reference.sanity.io, sanity.io, sanity.work, some.host, www.sanity.io, www.some-malicious.site, www.w3.org

Source & flagged code

5 flagged · loading source
dist/util/update/updateChecker.jsView file
1import { spawn } from 'node:child_process'; L2: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

dist/util/update/updateChecker.jsView on unpkg · L1
dist/util/packageManager/installationInfo/detectGlobals.jsView file
1import path from 'node:path'; L2: import { execa } from 'execa'; L3: import which from 'which';
High
Shell

Package source references shell execution.

dist/util/packageManager/installationInfo/detectGlobals.jsView on unpkg · L1
dist/actions/manifest/writeWorkspaceFiles.jsView file
1import { createHash } from 'node:crypto'; L2: import { writeFile } from 'node:fs/promises';
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/actions/manifest/writeWorkspaceFiles.jsView on unpkg · L1
dist/commands/codemod.jsView file
118try { L119: const npxHelp = execSync('npx --help', { L120: encoding: 'utf8' ... L122: if (!npxHelp.includes('npm')) { L123: this.error('Not the npx we expected', { L124: exit: 1
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/codemod.jsView on unpkg · L118
bin/run.cmdView file
path = bin/run.cmd kind = build_helper sizeBytes = 31 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/run.cmdView on unpkg

Findings

3 High4 Medium6 Low
HighChild Processdist/util/update/updateChecker.js
HighShelldist/util/packageManager/installationInfo/detectGlobals.js
HighRuntime Package Installdist/commands/codemod.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/run.cmd
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/actions/manifest/writeWorkspaceFiles.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings