registry  /  @stacksjs/actions  /  0.70.69

@stacksjs/actions@0.70.69

⚠ Under review

The Stacks actions.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 158 file(s), 1.36 MB of source, external domains: 127.0.0.1, api.example.com, appimage.github.io, cdn.tailwindcss.com, cloudfront.amazonaws.com, feross.org, github.com, pantry.dev, s3.amazonaws.com, stacksjs.com, twitter.com, wixtoolset.org, www.apple.com, www.linkedin.com, www.sitemaps.org, www.w3.org

Source & flagged code

5 flagged · loading source
dist/lint/index.jsView file
2// @bun L3: import{log as e}from"@stacksjs/cli";import{existsSync as r}from"fs";import{execSync as l,spawnSync as f}from"child_process";e.info("Checking Code Style...");var i=process.cwd(),a=/...
High
Child Process

Package source references child process execution.

dist/lint/index.jsView on unpkg · L2
dist/deploy/index.jsView file
1// @bun L2: import{pb as Z}from"../chunk-4qzb8g3z.js";import{existsSync as JJ,readFileSync as BJ,statSync as TJ}from"fs";import T from"process";import{runCommand as KJ,spinner as S}from"@stack... L3: `;if(typeof U==="number"||typeof U==="string")return`${H}<${J}>${U}</${J}> ... L7: `}return""}function hJ(J){return`<?xml version="1.0" encoding="UTF-8"?> L8: <DistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2020-05-31/"> L9: ${Object.entries(J).filter(([U])=>!U.startsWith("@_")).map(([U,H])=>AJ(U,H," ")).join("")}</DistributionConfig> L10: `}function _J(J){let U=[...new Set(J)].filter((Q)=>Number.isFinite(Q)&&Q>0).sort((Q,_)=>Q-_);if(U.length===0)return"true";return`if command -v firewall-cmd >/dev/null 2>&1; then fi... L11: `)){let y=G.trim();if(y.startsWith("#")||!y.includes("="))continue;let c=y.indexOf("="),k=y.slice(0,c).trim(),N=y.slice(c+1).trim();if(N.startsWith('"')&&N.endsWith('"')||N.startsW... L12: Set AWS_ACCOUNT_ID in your .env file or ensure valid AWS credentials are configured.`);let q=`${z}.dkr.ecr.${Q}.amazonaws.com/${G}-${H}-api`,A=`${q}:latest`;if(V)$.debug(`ECR repos... L13: import { SESClient } from "./ts-cloud-dist.js"; ... L149: systemctl dae
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/deploy/index.jsView on unpkg · L1
1// @bun L2: import{pb as Z}from"../chunk-4qzb8g3z.js";import{existsSync as JJ,readFileSync as BJ,statSync as TJ}from"fs";import T from"process";import{runCommand as KJ,spinner as S}from"@stack... L3: `;if(typeof U==="number"||typeof U==="string")return`${H}<${J}>${U}</${J}> ... L7: `}return""}function hJ(J){return`<?xml version="1.0" encoding="UTF-8"?> L8: <DistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2020-05-31/"> L9: ${Object.entries(J).filter(([U])=>!U.startsWith("@_")).map(([U,H])=>AJ(U,H," ")).join("")}</DistributionConfig> L10: `}function _J(J){let U=[...new Set(J)].filter((Q)=>Number.isFinite(Q)&&Q>0).sort((Q,_)=>Q-_);if(U.length===0)return"true";return`if command -v firewall-cmd >/dev/null 2>&1; then fi... L11: `)){let y=G.trim();if(y.startsWith("#")||!y.includes("="))continue;let c=y.indexOf("="),k=y.slice(0,c).trim(),N=y.slice(c+1).trim();if(N.startsWith('"')&&N.endsWith('"')||N.startsW...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/deploy/index.jsView on unpkg · L1
1// @bun L2: import{pb as Z}from"../chunk-4qzb8g3z.js";import{existsSync as JJ,readFileSync as BJ,statSync as TJ}from"fs";import T from"process";import{runCommand as KJ,spinner as S}from"@stack... L3: `;if(typeof U==="number"||typeof U==="string")return`${H}<${J}>${U}</${J}>
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/deploy/index.jsView on unpkg · L1
dist/chunk-nn1a9b4f.jsView file
1package = @stacksjs/actions; repositoryIdentity = stacks; dependency = @stacksjs/ts-cloud L1: // @bun L2: import{pb as L}from"./chunk-4qzb8g3z.js";import f from"process";import{log as N}from"@stacksjs/cli";import{getErrorMessage as E}from"@stacksjs/utils";async function C(){try{return(... L3: <DistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2020-05-31/">
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/chunk-nn1a9b4f.jsView on unpkg · L1

Findings

1 Critical3 High4 Medium6 Low
CriticalCredential Exfiltrationdist/deploy/index.js
HighChild Processdist/lint/index.js
HighCommand Output Exfiltrationdist/deploy/index.js
HighCopied Package Dependency Bridgedist/chunk-nn1a9b4f.js
MediumDynamic Requiredist/deploy/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings