registry  /  @sonoma-sh/cli  /  0.3.0

@sonoma-sh/cli@0.3.0

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 1 file(s), 415 KB of source, external domains: 127.0.0.1, api.sonoma.sh, github.com, shygmiwlfqturvdyhvhs.supabase.co, www.sonoma.sh

Source & flagged code

4 flagged · loading source
dist/cli.jsView file
143`,F.write(D,!0),w1.isTTY&&(q=vM(D,Y.columns)),F},spin(){return F.render(),J=++J%G.length,F},update(D){if(typeof D==="string")Z=D;else Z=D.text||Z,G=D.frames&&D.frames.length?D.fram... L144: `}`:"",!0),w1.isTTY&&!O?F.write("\x1B[?25h"):F},success(D={}){return F.stop({text:B(D),mark:K(D,w1.symbols.tick),color:"green",update:V(D)})},error(D={}){return F.stop({text:B(D),m... L145: `)}displayWidth(Z){return bG(Z).length}styleTitle(Z){return Z}styleUsage(Z){return Z.split(" ").map((X)=>{if(X==="[options]")return this.styleOptionText(X);if(X==="[command]")retur...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L143
158Expecting one of '${J.join("', '")}'`);if(this._lifeCycleHooks[Z])this._lifeCycleHooks[Z].push(X);else this._lifeCycleHooks[Z]=[X];return this}exitOverride(Z){if(Z)this._exitCallba... L159: - already used by option '${X.flags}'`)}this._initOptionGroup(Z),this.options.push(Z)}_registerCommand(Z){let X=(Q)=>{return[Q.name()].concat(Q.aliases())},J=X(Z).find((Q)=>this._... L160: - either make a new Command for each call to parse, or stop storing options as properties`);this._name=this._savedState._name,this._scriptPath=null,this.rawArgs=[],this._optionValu... ... L168: Expecting one of '${J.join("', '")}'`);let Q=`${Z}Help`;return this.on(Q,(Y)=>{let G;if(typeof X==="function")G=X({error:Y.error,command:Y.command});else G=X;if(G)Y.write(`${G} L169: `)}),this}_outputHelpIfRequested(Z){let X=this._getHelpOption();if(X&&Z.find((Q)=>X.is(Q)))this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)")}}function MX(Z){... L170: `,{mode:384})}function q6(){if(r0(O0()))OX(O0())}function I0(){return o1(t0(),"session.json")}function e0(){if(!r0(I0()))return null;return JSON.parse(Q4(I0(),"utf8"))}function W6(...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L158
155(Did you mean one of ${Q.join(", ")}?)`;if(Q.length===1)return` L156: (Did you mean ${Q[0]}?)`;return""}class L0 extends _G{constructor(Z){super();this.commands=[],this.options=[],this.parent=null,this._allowUnknownOption=!1,this._allowExcessArgument... L157: - specify the name in Command constructor or using .name()`);if(X=X||{},X.isDefault)this._defaultCommandName=Z._name;if(X.noHelp||X.hidden)Z._hidden=!0;return this._registerCommand... L158: Expecting one of '${J.join("', '")}'`);if(this._lifeCycleHooks[Z])this._lifeCycleHooks[Z].push(X);else this._lifeCycleHooks[Z]=[X];return this}exitOverride(Z){if(Z)this._exitCallba... L159: - already used by option '${X.flags}'`)}this._initOptionGroup(Z),this.options.push(Z)}_registerCommand(Z){let X=(Q)=>{return[Q.name()].concat(Q.aliases())},J=X(Z).find((Q)=>this._... L160: - either make a new Command for each call to parse, or stop storing options as properties`);this._name=this._savedState._name,this._scriptPath=null,this.rawArgs=[],this._optionValu... ... L168: Expecting one of '${J.join("', '")}'`);let Q=`${Z}Help`;return this.on(Q,(Y)=>{let G;if(typeof X==="function")G=X({error:Y.error,command:Y.command});else G=X;if(G)Y.write
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L155
212${L}`}class _ extends Error{constructor({message:Z,code:X,cause:J,name:Q}){var Y;super(Z,{cause:J});this.__isWebAuthnError=!0,this.name=(Y=Q!==null&&Q!==void 0?Q:J instanceof Error... L213: `);let I=await O.signMessage(new TextEncoder().encode(K),"utf8");if(!I||!(I instanceof Uint8Array))throw Error("@supabase/auth-js: Wallet signMessage() API returned an recognized v... L214: `)}async function t7(Z){let X=null;for(let z of XM)if(await Bun.file(o7(Z,z)).exists()){X=z;break}if(X===null)return null;let J=t9(await Bun.file(o7(Z,X)).text()),{exposes:Q,notes:...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L212

Findings

4 High5 Medium6 Low
HighChild Processdist/cli.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighObfuscated
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License