registry  /  @sonoma-sh/cli  /  0.6.0

@sonoma-sh/cli@0.6.0

Static Scan Results

scanned 19h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 1 file(s), 418 KB of source, external domains: 127.0.0.1, api.sonoma.sh, github.com, shygmiwlfqturvdyhvhs.supabase.co, www.sonoma.sh

Source & flagged code

4 flagged · loading source
dist/cli.jsView file
143`,F.write(M,!0),w1.isTTY&&(q=GM(M,Y.columns)),F},spin(){return F.render(),J=++J%G.length,F},update(M){if(typeof M==="string")Z=M;else Z=M.text||Z,G=M.frames&&M.frames.length?M.fram... L144: `}`:"",!0),w1.isTTY&&!I?F.write("\x1B[?25h"):F},success(M={}){return F.stop({text:B(M),mark:K(M,w1.symbols.tick),color:"green",update:V(M)})},error(M={}){return F.stop({text:B(M),m... L145: `)}displayWidth(Z){return pG(Z).length}styleTitle(Z){return Z}styleUsage(Z){return Z.split(" ").map((X)=>{if(X==="[options]")return this.styleOptionText(X);if(X==="[command]")retur...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L143
158Expecting one of '${J.join("', '")}'`);if(this._lifeCycleHooks[Z])this._lifeCycleHooks[Z].push(X);else this._lifeCycleHooks[Z]=[X];return this}exitOverride(Z){if(Z)this._exitCallba... L159: - already used by option '${X.flags}'`)}this._initOptionGroup(Z),this.options.push(Z)}_registerCommand(Z){let X=(Q)=>{return[Q.name()].concat(Q.aliases())},J=X(Z).find((Q)=>this._... L160: - either make a new Command for each call to parse, or stop storing options as properties`);this._name=this._savedState._name,this._scriptPath=null,this.rawArgs=[],this._optionValu... ... L168: Expecting one of '${J.join("', '")}'`);let Q=`${Z}Help`;return this.on(Q,(Y)=>{let G;if(typeof X==="function")G=X({error:Y.error,command:Y.command});else G=X;if(G)Y.write(`${G} L169: `)}),this}_outputHelpIfRequested(Z){let X=this._getHelpOption();if(X&&Z.find((Q)=>X.is(Q)))this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)")}}function RX(Z){... L170: `,{mode:384})}function V6(){if(t0(R0()))TX(R0())}function N0(){return t1(e0(),"session.json")}function Z9(){if(!t0(N0()))return null;return JSON.parse(z4(N0(),"utf8"))}function B6(...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L158
155(Did you mean one of ${Q.join(", ")}?)`;if(Q.length===1)return` L156: (Did you mean ${Q[0]}?)`;return""}class O0 extends nG{constructor(Z){super();this.commands=[],this.options=[],this.parent=null,this._allowUnknownOption=!1,this._allowExcessArgument... L157: - specify the name in Command constructor or using .name()`);if(X=X||{},X.isDefault)this._defaultCommandName=Z._name;if(X.noHelp||X.hidden)Z._hidden=!0;return this._registerCommand... L158: Expecting one of '${J.join("', '")}'`);if(this._lifeCycleHooks[Z])this._lifeCycleHooks[Z].push(X);else this._lifeCycleHooks[Z]=[X];return this}exitOverride(Z){if(Z)this._exitCallba... L159: - already used by option '${X.flags}'`)}this._initOptionGroup(Z),this.options.push(Z)}_registerCommand(Z){let X=(Q)=>{return[Q.name()].concat(Q.aliases())},J=X(Z).find((Q)=>this._... L160: - either make a new Command for each call to parse, or stop storing options as properties`);this._name=this._savedState._name,this._scriptPath=null,this.rawArgs=[],this._optionValu... ... L168: Expecting one of '${J.join("', '")}'`);let Q=`${Z}Help`;return this.on(Q,(Y)=>{let G;if(typeof X==="function")G=X({error:Y.error,command:Y.command});else G=X;if(G)Y.write
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L155
212${L}`}class f extends Error{constructor({message:Z,code:X,cause:J,name:Q}){var Y;super(Z,{cause:J});this.__isWebAuthnError=!0,this.name=(Y=Q!==null&&Q!==void 0?Q:J instanceof Error... L213: `);let O=await I.signMessage(new TextEncoder().encode(K),"utf8");if(!O||!(O instanceof Uint8Array))throw Error("@supabase/auth-js: Wallet signMessage() API returned an recognized v... L214: `+Z.map((X)=>` - ${X}`).join(`
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L212

Findings

4 High5 Medium6 Low
HighChild Processdist/cli.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighObfuscated
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License