registry  /  @sonoma-sh/cli  /  0.0.2

@sonoma-sh/cli@0.0.2

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 1 file(s), 411 KB of source, external domains: api.sonoma.sh, github.com, shygmiwlfqturvdyhvhs.supabase.co, www.sonoma.sh

Source & flagged code

4 flagged · loading source
dist/cli.jsView file
143`,U.write(F,!0),j1.isTTY&&(q=$D(F,Y.columns)),U},spin(){return U.render(),J=++J%G.length,U},update(F){if(typeof F==="string")Z=F;else Z=F.text||Z,G=F.frames&&F.frames.length?F.fram... L144: `}`:"",!0),j1.isTTY&&!I?U.write("\x1B[?25h"):U},success(F={}){return U.stop({text:B(F),mark:K(F,j1.symbols.tick),color:"green",update:V(F)})},error(F={}){return U.stop({text:B(F),m... L145: `)}displayWidth(Z){return LG(Z).length}styleTitle(Z){return Z}styleUsage(Z){return Z.split(" ").map((X)=>{if(X==="[options]")return this.styleOptionText(X);if(X==="[command]")retur...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L143
158Expecting one of '${J.join("', '")}'`);if(this._lifeCycleHooks[Z])this._lifeCycleHooks[Z].push(X);else this._lifeCycleHooks[Z]=[X];return this}exitOverride(Z){if(Z)this._exitCallba... L159: - already used by option '${X.flags}'`)}this._initOptionGroup(Z),this.options.push(Z)}_registerCommand(Z){let X=(Q)=>{return[Q.name()].concat(Q.aliases())},J=X(Z).find((Q)=>this._... L160: - either make a new Command for each call to parse, or stop storing options as properties`);this._name=this._savedState._name,this._scriptPath=null,this.rawArgs=[],this._optionValu... ... L168: Expecting one of '${J.join("', '")}'`);let Q=`${Z}Help`;return this.on(Q,(Y)=>{let G;if(typeof X==="function")G=X({error:Y.error,command:Y.command});else G=X;if(G)Y.write(`${G} L169: `)}),this}_outputHelpIfRequested(Z){let X=this._getHelpOption();if(X&&Z.find((Q)=>X.is(Q)))this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)")}}function HX(Z){... L170: `,{mode:384})}function Y6(){if(s0(L0()))$X(L0())}function I0(){return s1(r0(),"session.json")}function o0(){if(!s0(I0()))return null;return JSON.parse(t8(I0(),"utf8"))}function G6(...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L158
155(Did you mean one of ${Q.join(", ")}?)`;if(Q.length===1)return` L156: (Did you mean ${Q[0]}?)`;return""}class F0 extends RG{constructor(Z){super();this.commands=[],this.options=[],this.parent=null,this._allowUnknownOption=!1,this._allowExcessArgument... L157: - specify the name in Command constructor or using .name()`);if(X=X||{},X.isDefault)this._defaultCommandName=Z._name;if(X.noHelp||X.hidden)Z._hidden=!0;return this._registerCommand... L158: Expecting one of '${J.join("', '")}'`);if(this._lifeCycleHooks[Z])this._lifeCycleHooks[Z].push(X);else this._lifeCycleHooks[Z]=[X];return this}exitOverride(Z){if(Z)this._exitCallba... L159: - already used by option '${X.flags}'`)}this._initOptionGroup(Z),this.options.push(Z)}_registerCommand(Z){let X=(Q)=>{return[Q.name()].concat(Q.aliases())},J=X(Z).find((Q)=>this._... L160: - either make a new Command for each call to parse, or stop storing options as properties`);this._name=this._savedState._name,this._scriptPath=null,this.rawArgs=[],this._optionValu... ... L168: Expecting one of '${J.join("', '")}'`);let Q=`${Z}Help`;return this.on(Q,(Y)=>{let G;if(typeof X==="function")G=X({error:Y.error,command:Y.command});else G=X;if(G)Y.write
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L155
212${L}`}class _ extends Error{constructor({message:Z,code:X,cause:J,name:Q}){var Y;super(Z,{cause:J});this.__isWebAuthnError=!0,this.name=(Y=Q!==null&&Q!==void 0?Q:J instanceof Error... L213: `);let O=await I.signMessage(new TextEncoder().encode(K),"utf8");if(!O||!(O instanceof Uint8Array))throw Error("@supabase/auth-js: Wallet signMessage() API returned an recognized v... L214: `,{mode:384});let z=`sonoma-env-${Z}`,H=s9(Q,"ssh_config"),q=[`Host ${d7}`,` HostName ${X.bastionHost}`,` Port ${X.bastionPort}`,` User ${X.user}`,` IdentityFile ${J}`,` Certi...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L212

Findings

4 High5 Medium6 Low
HighChild Processdist/cli.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighObfuscated
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License