Static Scan Results
scanned 6d ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcedist/swpx/spawn.jsView file
6* verdict; a missing npm is the user's environment, not a swpx error. */
L7: import { spawn } from 'node:child_process';
L8: import { dim } from '../lib/output.js';
High
dist/commands/dev.jsView file
357const child = spawn(command, {
L358: shell: true,
L359: stdio: 'inherit',
High
dist/local/runtime.jsView file
36const root = packageRoot();
L37: await import(pathToFileURL(join(root, 'runtime', 'sw-init.mjs')).href);
L38: contextModule = (await import(pathToFileURL(join(root, 'runtime', 'platform-context.mjs')).href));
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/local/runtime.jsView on unpkg · L36dist/commands/update.jsView file
52// in which case npm's EACCES message is surfaced and we point at the manual fix.
L53: execSync(`npm install -g ${PACKAGE}@latest`, { stdio: 'inherit' });
L54: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/commands/update.jsView on unpkg · L52Findings
3 High4 Medium5 Low
HighChild Processdist/swpx/spawn.js
HighShelldist/commands/dev.js
HighRuntime Package Installdist/commands/update.js
MediumDynamic Requiredist/local/runtime.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings