registry  /  @stacksjs/buddy  /  0.70.67

@stacksjs/buddy@0.70.67

⚠ Under review

Meet Buddy. The Stacks runtime.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 71 file(s), 503 KB of source, external domains: 0.0.0.0, 127.0.0.1, api.hetzner.cloud, api.porkbun.com, console.aws.amazon.com, console.hetzner.cloud, github.com, stacksjs.com, us-east-1.console.aws.amazon.com

Source & flagged code

7 flagged · loading source
dist/commands/mail.jsView file
6import { readFileSync, existsSync } from "node:fs"; L7: import { execSync } from "node:child_process"; L8: export function mailCommands(buddy) {
High
Child Process

Package source references child process execution.

dist/commands/mail.jsView on unpkg · L6
352log.info(`Found Hetzner server: ${mailServer.name} (${serverIp})`); L353: const result = execSync(`ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 root@${serverIp} "timeout 5 bash -c 'echo QUIT > /dev/tcp/gmail-smtp-in.l.google.com/25' 2>&1 && echo ... L354: printPort25Status(result.trim(), "Hetzner", serverIp);
High
Shell

Package source references shell execution.

dist/commands/mail.jsView on unpkg · L352
379const result = await ssm.runShellCommand(instanceId, [ L380: 'timeout 5 bash -c "echo QUIT > /dev/tcp/gmail-smtp-in.l.google.com/25" 2>&1 && echo PORT_25_OPEN || echo PORT_25_BLOCKED' L381: ], { timeoutSeconds: 15, maxWaitMs: 20000, pollIntervalMs: 2000 }); ... L390: loadEnvFiles(); L391: const domain = process.env.APP_DOMAIN || process.env.MAIL_DOMAIN || "stacksjs.com", port = Number.parseInt(options.port, 10), mailboxes = ["chris", "blake", "glenn"], users = {}, g... L392: for (const name of mailboxes) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/mail.jsView on unpkg · L379
1import { log, runCommand } from "@stacksjs/cli"; L2: import { ExitCode } from "@stacksjs/types"; L3: import { getErrorMessage } from "@stacksjs/utils"; ... L6: import { readFileSync, existsSync } from "node:fs"; L7: import { execSync } from "node:child_process"; L8: export function mailCommands(buddy) { ... L17: try { L18: ip = (await (await import("node:dns")).promises.resolve4(domain))[0]; L19: } catch { ... L33: try { L34: const password = options.password || randomBytes(16).toString("base64").replace(/[+/=]/g, "").substring(0, 16), passwordHash = createHash("sha256").update(password).digest("hex"), ... L35: await new DynamoDBClient(process.env.AWS_REGION || "us-east-1").putItem({
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/commands/mail.jsView on unpkg · L1
dist/config.jsView file
147log.debug(`Loading buddy config from ${configPath}`); L148: const configModule = await import(configPath), config = configModule.default || configModule, validationErrors = validateConfig(config); L149: if (validationErrors.length > 0) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/config.jsView on unpkg · L147
dist/commands/make.jsView file
23package = @stacksjs/buddy; repositoryIdentity = stacks; dependency = @stacksjs/actions L23: setDryRun L24: } from "@stacksjs/actions"; L25: import { intro, italic, onUnknownSubcommand, outro } from "@stacksjs/cli";
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/commands/make.jsView on unpkg · L23
dist/commands/deploy.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @stacksjs/buddy@0.70.65 matchedIdentity = npm:QHN0YWNrc2pzL2J1ZGR5:0.70.65 similarity = 0.986 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/deploy.jsView on unpkg

Findings

1 Critical5 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/commands/deploy.js
HighChild Processdist/commands/mail.js
HighShelldist/commands/mail.js
HighSame File Env Network Executiondist/commands/mail.js
HighCredential Exfiltrationdist/commands/mail.js
HighCopied Package Dependency Bridgedist/commands/make.js
MediumDynamic Requiredist/config.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings