registry  /  @sfdt/cli  /  0.16.1

@sfdt/cli@0.16.1

Salesforce DevTools — Production-grade CLI for Salesforce DX deployment, testing, quality analysis, and release management

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 172 file(s), 1.93 MB of source, external domains: 127.0.0.1, docs.anthropic.com, github.com, react.dev, registry.npmjs.org, schema.org, soap.sforce.com, www.w3.org

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
host/src/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @sfdt/cli@0.15.2 matchedIdentity = npm:QHNmZHQvY2xp:0.15.2 similarity = 0.658 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

host/src/index.jsView on unpkg
30L31: const require = createRequire(import.meta.url); L32:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

host/src/index.jsView on unpkg · L30
src/commands/ui.jsView file
60package = @sfdt/cli; repositoryIdentity = sfdt; dependency = open L60: try { L61: const { default: open } = await import('open'); L62: await open(url);
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

src/commands/ui.jsView on unpkg · L60
scripts/core/compare-preview-vs-pull.shView file
path = scripts/core/compare-preview-vs-pull.sh kind = build_helper sizeBytes = 3156 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/core/compare-preview-vs-pull.shView on unpkg

Findings

3 High6 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighCopied Package Dependency Bridgesrc/commands/ui.js
HighPrevious Version Dangerous Deltahost/src/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirehost/src/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/core/compare-preview-vs-pull.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings