registry  /  @sensegrep/cli  /  1.11.0

@sensegrep/cli@1.11.0

Command-line semantic code search for AI coding workflows — find the right code by meaning using semantic, exact, and AST-aware retrieval.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 104 KB of source, external domains: 127.0.0.1

Source & flagged code

3 flagged · loading source
dist/main.jsView file
47package = @sensegrep/cli; repositoryIdentity = sensegrep; dependency = @sensegrep/core L47: if (!corePromise) { L48: corePromise = import("@sensegrep/core").catch(async (error) => { L49: const fallbackUrl = new URL("../../core/dist/index.js", import.meta.url).href;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/main.jsView on unpkg · L47
47if (!corePromise) { L48: corePromise = import("@sensegrep/core").catch(async (error) => { L49: const fallbackUrl = new URL("../../core/dist/index.js", import.meta.url).href;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/main.jsView on unpkg · L47
dist/daemon.jsView file
1import { createServer, request as httpRequest } from "node:http"; L2: import { spawn } from "node:child_process"; L3: import crypto from "node:crypto"; L4: import path from "node:path"; L5: import { writeJson, writeStdoutLine } from "./output.js"; L6: const toolCache = new Map(); ... L83: try { L84: resolve(text ? JSON.parse(text) : {}); L85: } ... L92: if (body !== undefined) L93: req.write(JSON.stringify(body)); L94: req.end();
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/daemon.jsView on unpkg · L1

Findings

1 High4 Medium6 Low
HighCopied Package Dependency Bridgedist/main.js
MediumDynamic Requiredist/main.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/daemon.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings