registry  /  @stacksjs/stx  /  0.2.78

@stacksjs/stx@0.2.78

⚠ Under review

A performant UI Framework. Powered by Bun.

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 21 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 353 file(s), 49.8 MB of source, external domains: api.netlify.com, app.netlify.com, appimage.github.io, cdn.jsdelivr.net, cdn.usefathom.com, d3js.org, developers.google.com, example.com, github.com, plausible.io, player.twitch.tv, player.vimeo.com, schema.org, storage.googleapis.com, stx.dev, web.dev, www.apple.com, www.dailymotion.com, www.googletagmanager.com, www.sitemaps.org, www.w3.org, www.youtube-nocookie.com

Source & flagged code

10 flagged · loading source
dist/web-components.jsView file
4172L4173: `),Z}async function h1($,Z,Y,X={}){if(!$.trim())return;let J;try{let P=new Bun.Transpiler({loader:"ts",target:"browser",define:o0()}),v=$.replace(/^\s*import\s+\w+\s+from\s+['"][^'... L4174: `),N1=Z.params??{},z0=[],T1=[];for(let t=0;t<x.length;t++){if(x[t]==="params")continue;z0.push(x[t]),T1.push(g[t])}let X$=await Function("module","exports","require","props","$prop...
High
Child Process

Package source references child process execution.

dist/web-components.jsView on unpkg · L4172
1800@end${K}`;X.push(`Added ${U} missing @end${K}`)}}if(X.length>0&&Z.logRecoveryWarnings)console.warn("[stx] Auto-recovery applied fixes:"),X.forEach((K)=>console.warn(` - ${K}`)),co... L1801: `)}}});import e7 from"path";function dK($){let Z={"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"};return $.replace(/[&<>"']/g,(Y)=>Z[Y]||Y)}function c$($,Z={}){let{allo... L1802: `,V+=`<meta name="title" content="${p(O.title)}">
High
Eval

Package source references dynamic code evaluation.

dist/web-components.jsView on unpkg · L1800
1796`)}writeToFile($){this.writeQueue=this.writeQueue.then(async()=>{try{let Z=await import("fs"),X=(await import("path")).dirname(this.logFilePath);if(!Z.existsSync(X))Z.mkdirSync(X,{... L1797: `;Z.appendFileSync(this.logFilePath,J,"utf-8")}catch(Z){if(process.env.STX_DEBUG==="true")console.error("Failed to write to error log:",Z)}})}async rotateIfNeeded($){try{if(!$.exis... L1798: ... L1800: @end${K}`;X.push(`Added ${U} missing @end${K}`)}}if(X.length>0&&Z.logRecoveryWarnings)console.warn("[stx] Auto-recovery applied fixes:"),X.forEach((K)=>console.warn(` - ${K}`)),co... L1801: `)}}});import e7 from"path";function dK($){let Z={"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"};return $.replace(/[&<>"']/g,(Y)=>Z[Y]||Y)}function c$($,Z={}){let{allo... L1802: `,V+=`<meta name="title" content="${p(O.title)}">
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/web-components.jsView on unpkg · L1796
13} L14: `.trim()}function Y9(){return typeof globalThis.document<"u"&&typeof globalThis.document.createElement==="function"}function GQ($,Z){let Y=[],X=/<img\s+([^>]*)>/gi,J;J=X.exec($);wh... L15: <!-- Fathom Analytics --> ... L491: <span class="stx-clipboard-content">${$}</span> L492: <button type="button" class="stx-clipboard-btn" onclick="navigator.clipboard.writeText(document.querySelector('[data-clipboard-id=\\'${Y}\\'] .stx-clipboard-content').textContent).... L493: </span> ... L611: `});let Y=/import\s*\{([^}]+)\}\s*from\s*['"]@composables['"]\s*;?\n?/g;return $=$.replace(Y,(X,J)=>{return`const { ${J.split(",").map((G)=>G.trim()).filter(Boolean).join(", ")} } ... L612: `}),$}import B9 from"process";function o0($="STX_PUBLIC_"){let Z={},Y={};for(let[X,J]of Object.entries(B9.env)){if(!X.startsWith($)||J===void 0)continue;Z[`import.meta.env.${X}`]=J... L613: export { ${H.join(", ")} }`:"";await Bun.write(_,$+V),console.log("[stx:bundler] bundling:",K,"from:",W0.basename(Z));let A=new Set;try{let w=await Bun.build({entrypoints:[_],outdi... ... L656: // eslint-disable-next-line pickier/no-unused-vars L657: `)}var L9,s1,q7,cQ,F9,iQ,w9,O9=65536;var F0=C(()=>{L9={maxSanitizeDept
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/web-components.jsView on unpkg · L13
1070`||O==="\r"||O===" "||O===void 0)W++;_=L+9}else{if(W--,W===0){B=F;break}_=F+12}}if(B===-1)continue;let j=$.slice(U,B),H=$.slice(K,B+12);J.push({fullMatch:H,options:z,content:j,inde... L1071: `)}function NO($,Z){if($.length===0)return;let Y=[...$].sort((J,Q)=>J.width-Q.width),X=Y.find((J)=>J.width>=Z);if(X)return X;return Y[Y.length-1]}function TO($,Z){let Y=Z?$.filter(... L1072: <rect fill="rgb(${H},${L},${F})" width="32" height="32"/>
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/web-components.jsView on unpkg · L1070
dist/bundle-analyzer/treemap.jsView file
1// @bun L2: var{defineProperty:O,getOwnPropertyNames:E,getOwnPropertyDescriptor:N}=Object,x=Object.prototype.hasOwnProperty;function T(K){return this[K]}var u=(K)=>{var Q=(C??=new WeakMap).get... L3: <html lang="en"> ... L279: L280: <script src="https://d3js.org/d3.v7.min.js"></script> L281: <script> ... L325: } L326: return d.children ? 0 : getSizeValue({ data: d }); L327: }) ... L496: </body> L497: </html>`}function i(K){let Q={name:"root",size:K.totalSize,gzipSize:K.totalGzipSize,children:[]};for(let X of K.chunks){let W={name:X.name,size:X.size,gzipSize:X.gzipSize,children:...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/bundle-analyzer/treemap.jsView on unpkg · L1
dist/dev-server/serve-file.jsView file
1// @bun L2: var tL=Object.defineProperty;var eL=($)=>$;function $F($,Z){this[$]=eL.bind(null,Z)}var Z0=($,Z)=>{for(var Y in Z)tL($,Y,{get:Z[Y],enumerable:!0,configurable:!0,set:$F.bind(Z,Y)})}... L3: <script> ... L205: } L206: `),K=G([]);if(Q.length===Z.length)return nG(K,Q,G);return nG((...U)=>{let B=Array(J.length);for(let _=0;_<J.length;_++)B[_]=U[J[_]];return K(...B)},Q,G,(U)=>{K=G(U)})}function nG($... L207: Help: ${X}`:Y}function _3($){for(let[Z,Y]of Object.entries(e))if(Y===$)return Z;return}var WF,B3,tG="en",e;var z3=D(()=>{WF={1001:{message:"Unclosed directive: {{directive}}",help:... L208: ${$.message}`),Z&&$.line){let Q=jF(Z,$.line,2);if(Q)X.push(` ... L238: @end${K}`;X.push(`Added ${B} missing @end${K}`)}}if(X.length>0&&Z.logRecoveryWarnings)console.warn("[stx] Auto-recovery applied fixes:"),X.forEach((K)=>console.warn(` - ${K}`)),co... L239: `)}}});import NY from"path";function OF($){let Z={"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"};return $.replace(/[&<>"']/g,(Y)=>Z[Y]||Y)}function _4($,Z={}){let{allo... L240: `)this.advance();return{type:"COMMENT",value:this.source.slice($,this.pos),start:$,end:this.pos,line:Z,column:Y}}readBlockComment($,Z,Y){t
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/dev-server/serve-file.jsView on unpkg · L1
dist/dev-server/serve-markdown.jsView file
13Cross-file remote execution chain: dist/dev-server/serve-markdown.js spawns dist/site-builder/index.js; helper contains network access plus dynamic code execution. L13: } L14: `.trim()}function U9(){return typeof globalThis.document<"u"&&typeof globalThis.document.createElement==="function"}function MQ($,Z){let Y=[],X=/<img\s+([^>]*)>/gi,J;J=X.exec($);wh... L15: <!-- Fathom Analytics --> ... L491: <span class="stx-clipboard-content">${$}</span> L492: <button type="button" class="stx-clipboard-btn" onclick="navigator.clipboard.writeText(document.querySelector('[data-clipboard-id=\\'${Y}\\'] .stx-clipboard-content').textContent).... L493: </span> ... L611: `});let Y=/import\s*\{([^}]+)\}\s*from\s*['"]@composables['"]\s*;?\n?/g;return $=$.replace(Y,(X,J)=>{return`const { ${J.split(",").map((G)=>G.trim()).filter(Boolean).join(", ")} } ... L612: `}),$}import A9 from"process";function o0($="STX_PUBLIC_"){let Z={},Y={};for(let[X,J]of Object.entries(A9.env)){if(!X.startsWith($)||J===void 0)continue;Z[`import.meta.env.${X}`]=J... L613: export { ${H.join(", ")} }`:"";await Bun.write(_,$+V),console.log("[stx:bundler] bundling:",K,"from:",W0.basename(Z));let A=new Set;try{let w=await Bun.buil…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/dev-server/serve-markdown.jsView on unpkg · L13
dist/index.jsView file
1Trigger-reachable chain: manifest.module -> dist/index.js L1: // @bun L2: var tL=Object.defineProperty;var eL=($)=>$;function $F($,Z){this[$]=eL.bind(null,Z)}var Z0=($,Z)=>{for(var Y in Z)tL($,Y,{get:Z[Y],enumerable:!0,configurable:!0,set:$F.bind(Z,Y)})}... L3: `)+` L4: `}function h0($){return $.replace(/\\/g,"\\\\").replace(/"/g,"\\\"").replace(/\n/g,"\\n").replace(/\r/g,"\\r").replace(/\t/g,"\\t")}async function Q4($){let Z={framework:"stx",buil... L5: ... L28: `}J+=`NETLIFY_SITE_ID=${$.siteId} L29: `,await Bun.write(X,J)}return{configPath:Y,siteId:$.siteId}}function XF($){let Z=process.platform,Y=Z==="darwin"?"open":Z==="win32"?"start":"xdg-open";Bun.spawn([Y,$],{stdio:["igno... L30: #${h} { ... L85: <span class="stx-clipboard-content">${$}</span> L86: <button type="button" class="stx-clipboard-btn" onclick="navigator.clipboard.writeText(document.querySelector('[data-clipboard-id=\\'${Y}\\'] .stx-clipboard-content').textContent).... L87: </span> ... L1845: @end${K}`;X.push(`Added ${B} missing @end${K}`)}}if(X.length>0&&Z.logRecoveryWarnings)console.warn("[stx] Auto-recovery applied fixes:"),X.forEach((K)=>console.warn(` - ${K}`)),co...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L1
dist/forms.d.tsView file
71patternName = generic_password severity = medium line = 71 matchedText = * { em...8' }
Medium
Secret Pattern

Hardcoded password in dist/forms.d.ts

dist/forms.d.tsView on unpkg · L71

Findings

2 Critical5 High6 Medium8 Low
CriticalCredential Exfiltrationdist/dev-server/serve-file.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/web-components.js
HighEvaldist/web-components.js
HighSame File Env Network Executiondist/web-components.js
HighObfuscated Payload Loaderdist/web-components.js
HighCross File Remote Execution Contextdist/dev-server/serve-markdown.js
MediumDynamic Requiredist/web-components.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/forms.d.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/bundle-analyzer/treemap.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings