registry  /  @somewhere-tech/cli  /  0.23.1

@somewhere-tech/cli@0.23.1

⚠ Under review

CLI for somewhere.tech — auth, projects, deploy, pull, promote, db, logs, env, MCP bridge.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 68 file(s), 542 KB of source, external domains: api.somewhere.tech, fonts.googleapis.com, mcp.somewhere.tech, npm.somewhere.tech, registry.npmjs.org, runner.somewhere.tech, somewhere.tech

Source & flagged code

5 flagged · loading source
dist/swpx/spawn.jsView file
6* verdict; a missing npm is the user's environment, not a swpx error. */ L7: import { spawn } from 'node:child_process'; L8: import { dim } from '../lib/output.js';
High
Child Process

Package source references child process execution.

dist/swpx/spawn.jsView on unpkg · L6
dist/commands/dev.jsView file
357const child = spawn(command, { L358: shell: true, L359: stdio: 'inherit',
High
Shell

Package source references shell execution.

dist/commands/dev.jsView on unpkg · L357
dist/local/runtime.jsView file
36const root = packageRoot(); L37: await import(pathToFileURL(join(root, 'runtime', 'sw-init.mjs')).href); L38: contextModule = (await import(pathToFileURL(join(root, 'runtime', 'platform-context.mjs')).href));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/local/runtime.jsView on unpkg · L36
dist/commands/update.jsView file
52// in which case npm's EACCES message is surfaced and we point at the manual fix. L53: execSync(`npm install -g ${PACKAGE}@latest`, { stdio: 'inherit' }); L54: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/update.jsView on unpkg · L52
dist/lib/typecheck.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @somewhere-tech/cli@0.22.0 matchedIdentity = npm:QHNvbWV3aGVyZS10ZWNoL2NsaQ:0.22.0 similarity = 0.708 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/lib/typecheck.jsView on unpkg

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/lib/typecheck.js
HighChild Processdist/swpx/spawn.js
HighShelldist/commands/dev.js
HighRuntime Package Installdist/commands/update.js
MediumDynamic Requiredist/local/runtime.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings