registry  /  @sonoma-sh/cli  /  0.8.1

@sonoma-sh/cli@0.8.1

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 1 file(s), 418 KB of source, external domains: 127.0.0.1, api.sonoma.sh, github.com, shygmiwlfqturvdyhvhs.supabase.co, www.sonoma.sh

Source & flagged code

4 flagged · loading source
dist/cli.jsView file
140`)+1;while(X!==0)this.onNewLine(this.offset+X),X=this.source.indexOf(` L141: `,X)+1}return{type:Z,offset:this.offset,indent:this.indent,source:this.source}}startBlockValue(Z){switch(this.type){case"alias":case"scalar":case"single-quoted-scalar":case"double-... L142: `)}displayWidth(Z){return c5(Z).length}styleTitle(Z){return Z}styleUsage(Z){return Z.split(" ").map((X)=>{if(X==="[options]")return this.styleOptionText(X);if(X==="[command]")retur...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L140
155Expecting one of '${J.join("', '")}'`);if(this._lifeCycleHooks[Z])this._lifeCycleHooks[Z].push(X);else this._lifeCycleHooks[Z]=[X];return this}exitOverride(Z){if(Z)this._exitCallba... L156: - already used by option '${X.flags}'`)}this._initOptionGroup(Z),this.options.push(Z)}_registerCommand(Z){let X=(Q)=>{return[Q.name()].concat(Q.aliases())},J=X(Z).find((Q)=>this._... L157: - either make a new Command for each call to parse, or stop storing options as properties`);this._name=this._savedState._name,this._scriptPath=null,this.rawArgs=[],this._optionValu... ... L165: Expecting one of '${J.join("', '")}'`);let Q=`${Z}Help`;return this.on(Q,(Y)=>{let G;if(typeof X==="function")G=X({error:Y.error,command:Y.command});else G=X;if(G)Y.write(`${G} L166: `)}),this}_outputHelpIfRequested(Z){let X=this._getHelpOption();if(X&&Z.find((Q)=>X.is(Q)))this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)")}}function RX(Z){... L167: `,{mode:384})}function W6(){if(e1(N1()))TX(N1())}function j1(){return e0(Z9(),"session.json")}function X9(){if(!e1(j1()))return null;return JSON.parse(YZ(j1(),"utf8"))}function V6(...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L155
152(Did you mean one of ${Q.join(", ")}?)`;if(Q.length===1)return` L153: (Did you mean ${Q[0]}?)`;return""}class R1 extends a5{constructor(Z){super();this.commands=[],this.options=[],this.parent=null,this._allowUnknownOption=!1,this._allowExcessArgument... L154: - specify the name in Command constructor or using .name()`);if(X=X||{},X.isDefault)this._defaultCommandName=Z._name;if(X.noHelp||X.hidden)Z._hidden=!0;return this._registerCommand... L155: Expecting one of '${J.join("', '")}'`);if(this._lifeCycleHooks[Z])this._lifeCycleHooks[Z].push(X);else this._lifeCycleHooks[Z]=[X];return this}exitOverride(Z){if(Z)this._exitCallba... L156: - already used by option '${X.flags}'`)}this._initOptionGroup(Z),this.options.push(Z)}_registerCommand(Z){let X=(Q)=>{return[Q.name()].concat(Q.aliases())},J=X(Z).find((Q)=>this._... L157: - either make a new Command for each call to parse, or stop storing options as properties`);this._name=this._savedState._name,this._scriptPath=null,this.rawArgs=[],this._optionValu... ... L165: Expecting one of '${J.join("', '")}'`);let Q=`${Z}Help`;return this.on(Q,(Y)=>{let G;if(typeof X==="function")G=X({error:Y.error,command:Y.command});else G=X;if(G)Y.write
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L152
209${L}`}class g extends Error{constructor({message:Z,code:X,cause:J,name:Q}){var Y;super(Z,{cause:J});this.__isWebAuthnError=!0,this.name=(Y=Q!==null&&Q!==void 0?Q:J instanceof Error... L210: `);let R=await O.signMessage(new TextEncoder().encode(D),"utf8");if(!R||!(R instanceof Uint8Array))throw Error("@supabase/auth-js: Wallet signMessage() API returned an recognized v... L211:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L209

Findings

4 High5 Medium6 Low
HighChild Processdist/cli.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighObfuscated
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License