registry  /  @sasjs/cli  /  4.18.2

@sasjs/cli@4.18.2

Command line interface for SASjs

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The risky primitives are CLI features for scaffolding SASjs projects, generating docs, and calling user-configured SASjs servers.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes sasjs CLI commands such as create, doc, or server-related operations
Impact
Expected project file creation and command execution for SASjs workflows; no credential harvesting or covert persistence found
Mechanism
user-invoked project scaffolding, downloads, shell execution, and SASjs API access
Rationale
Static inspection found potentially dangerous primitives, but they are package-aligned and activated by explicit CLI workflows rather than install/import-time covert behavior. The prepare hook is undesirable but only points this package repo at its own .git-hooks and no malicious hook payload or consumer/AI-agent control hijack was found.
Evidence
package.jsonbuild/index.jsbuild/cli.jsbuild/utils/utils.jsbuild/utils/loadEnvVariables.jsbuild/commands/create/create.jsbuild/commands/docs/generateDocs.jsbuild/utils/setProjectDir.jsbuild/commands/create/createCommand.js
Network endpoints6
github.com/sasjs/react-seed-appgithub.com/sasjs/angular-seed-appgithub.com/sasjs/minimal-seed-appgithub.com/sasjs/docsgithub.com/sasjs/template_<template><target.serverUrl>/SASjsApi/info

Decision evidence

public snapshot
AI called this Clean at 87.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has prepare script: git rev-parse --git-dir && git config core.hooksPath ./.git-hooks || true
  • build/utils/utils.js uses shelljs.exec for wget/curl/powershell downloads and npm install during sasjs create
  • build/commands/docs/generateDocs.js builds a shell command to run doxygen with project-derived paths
Evidence against
  • build/index.js only dispatches CLI args to ./cli; no import-time payload observed
  • Network activity is tied to user-invoked SASjs create/docs/server commands and SASjs/GitHub/user target URLs
  • Runtime npm install occurs after explicit sasjs create scaffolding, inside the requested project folder
  • Env reads load local .env/.env.target for SAS credentials but no exfiltration sink was found
  • No AI-agent control-surface files or foreign agent config writes found
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 283 file(s), 2.34 MB of source, external domains: api.agify.io, cli.sasjs.io, core.sasjs.io, example.com, github.com, raw.githubusercontent.com, sasjs.io, sasjsserver.com, server.com, support.sas.com, test.sasjs, www.contributor-covenant.org, www.conventionalcommits.org, www.doxygen.nl

Source & flagged code

7 flagged · loading source
build/commands/create/spec/create.spec.jsView file
60if (!command.includes('npm install')) { L61: return exec(command, { L62: silent: true
High
Child Process

Package source references child process execution.

build/commands/create/spec/create.spec.jsView on unpkg · L60
build/utils/utils.jsView file
92Object.defineProperty(exports, "__esModule", { value: true }); L93: exports.isSasJsServerInServerMode = exports.getNodeModulePath = exports.isSASjsProject = exports.terminateProcess = exports.prefixAppLoc = exports.loadEnvVariables = exports.displa... L94: var shelljs_1 = __importDefault(require("shelljs"));
High
Shell

Package source references shell execution.

build/utils/utils.jsView on unpkg · L92
326(_c = process.logger) === null || _c === void 0 ? void 0 : _c.info('Installing @sasjs/core'); L327: shelljs_1.default.exec("cd \"".concat(folderPath, "\" && npm i @sasjs/core --save"), { L328: silent: true
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

build/utils/utils.jsView on unpkg · L326
build/commands/docs/generateDocs.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @sasjs/cli@4.18.1 matchedIdentity = npm:QHNhc2pzL2NsaQ:4.18.1 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

build/commands/docs/generateDocs.jsView on unpkg
build/commands/add/spec/addTarget.spec.jsView file
237patternName = generic_password severity = medium line = 237 matchedText = password...ord'
Medium
Secret Pattern

Hardcoded password in build/commands/add/spec/addTarget.spec.js

build/commands/add/spec/addTarget.spec.jsView on unpkg · L237
359patternName = generic_password severity = medium line = 359 matchedText = password...ord'
Medium
Secret Pattern

Hardcoded password in build/commands/add/spec/addTarget.spec.js

build/commands/add/spec/addTarget.spec.jsView on unpkg · L359
build/commands/job/spec/jobCommand.spec.jsView file
114patternName = generic_password severity = medium line = 114 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in build/commands/job/spec/jobCommand.spec.js

build/commands/job/spec/jobCommand.spec.jsView on unpkg · L114

Findings

1 Critical3 High6 Medium5 Low
CriticalPrevious Version Dangerous Deltabuild/commands/docs/generateDocs.js
HighChild Processbuild/commands/create/spec/create.spec.js
HighShellbuild/utils/utils.js
HighRuntime Package Installbuild/utils/utils.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternbuild/commands/add/spec/addTarget.spec.js
MediumSecret Patternbuild/commands/add/spec/addTarget.spec.js
MediumSecret Patternbuild/commands/job/spec/jobCommand.spec.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings