registry  /  @sonoma-sh/cli  /  0.2.0

@sonoma-sh/cli@0.2.0

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 1 file(s), 412 KB of source, external domains: 127.0.0.1, api.sonoma.sh, github.com, shygmiwlfqturvdyhvhs.supabase.co, www.sonoma.sh

Source & flagged code

4 flagged · loading source
dist/cli.jsView file
143`,F.write(U,!0),w1.isTTY&&(q=TD(U,Y.columns)),F},spin(){return F.render(),J=++J%G.length,F},update(U){if(typeof U==="string")Z=U;else Z=U.text||Z,G=U.frames&&U.frames.length?U.fram... L144: `}`:"",!0),w1.isTTY&&!I?F.write("\x1B[?25h"):F},success(U={}){return F.stop({text:B(U),mark:K(U,w1.symbols.tick),color:"green",update:V(U)})},error(U={}){return F.stop({text:B(U),m... L145: `)}displayWidth(Z){return PG(Z).length}styleTitle(Z){return Z}styleUsage(Z){return Z.split(" ").map((X)=>{if(X==="[options]")return this.styleOptionText(X);if(X==="[command]")retur...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L143
158Expecting one of '${J.join("', '")}'`);if(this._lifeCycleHooks[Z])this._lifeCycleHooks[Z].push(X);else this._lifeCycleHooks[Z]=[X];return this}exitOverride(Z){if(Z)this._exitCallba... L159: - already used by option '${X.flags}'`)}this._initOptionGroup(Z),this.options.push(Z)}_registerCommand(Z){let X=(Q)=>{return[Q.name()].concat(Q.aliases())},J=X(Z).find((Q)=>this._... L160: - either make a new Command for each call to parse, or stop storing options as properties`);this._name=this._savedState._name,this._scriptPath=null,this.rawArgs=[],this._optionValu... ... L168: Expecting one of '${J.join("', '")}'`);let Q=`${Z}Help`;return this.on(Q,(Y)=>{let G;if(typeof X==="function")G=X({error:Y.error,command:Y.command});else G=X;if(G)Y.write(`${G} L169: `)}),this}_outputHelpIfRequested(Z){let X=this._getHelpOption();if(X&&Z.find((Q)=>X.is(Q)))this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)")}}function KX(Z){... L170: `,{mode:384})}function H6(){if(o0(I0()))LX(I0())}function O0(){return r1(t0(),"session.json")}function e0(){if(!o0(O0()))return null;return JSON.parse(J4(O0(),"utf8"))}function q6(...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L158
155(Did you mean one of ${Q.join(", ")}?)`;if(Q.length===1)return` L156: (Did you mean ${Q[0]}?)`;return""}class L0 extends AG{constructor(Z){super();this.commands=[],this.options=[],this.parent=null,this._allowUnknownOption=!1,this._allowExcessArgument... L157: - specify the name in Command constructor or using .name()`);if(X=X||{},X.isDefault)this._defaultCommandName=Z._name;if(X.noHelp||X.hidden)Z._hidden=!0;return this._registerCommand... L158: Expecting one of '${J.join("', '")}'`);if(this._lifeCycleHooks[Z])this._lifeCycleHooks[Z].push(X);else this._lifeCycleHooks[Z]=[X];return this}exitOverride(Z){if(Z)this._exitCallba... L159: - already used by option '${X.flags}'`)}this._initOptionGroup(Z),this.options.push(Z)}_registerCommand(Z){let X=(Q)=>{return[Q.name()].concat(Q.aliases())},J=X(Z).find((Q)=>this._... L160: - either make a new Command for each call to parse, or stop storing options as properties`);this._name=this._savedState._name,this._scriptPath=null,this.rawArgs=[],this._optionValu... ... L168: Expecting one of '${J.join("', '")}'`);let Q=`${Z}Help`;return this.on(Q,(Y)=>{let G;if(typeof X==="function")G=X({error:Y.error,command:Y.command});else G=X;if(G)Y.write
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L155
212${L}`}class _ extends Error{constructor({message:Z,code:X,cause:J,name:Q}){var Y;super(Z,{cause:J});this.__isWebAuthnError=!0,this.name=(Y=Q!==null&&Q!==void 0?Q:J instanceof Error... L213: `);let O=await I.signMessage(new TextEncoder().encode(K),"utf8");if(!O||!(O instanceof Uint8Array))throw Error("@supabase/auth-js: Wallet signMessage() API returned an recognized v... L214: `,{mode:384});let z=`sonoma-env-${Z}`,H=t9(Q,"ssh_config"),q=[`Host ${s7}`,` HostName ${X.bastionHost}`,` Port ${X.bastionPort}`,` User ${X.user}`,` IdentityFile ${J}`,` Certi...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L212

Findings

4 High5 Medium6 Low
HighChild Processdist/cli.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighObfuscated
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License