registry  /  @stacksjs/stx  /  0.2.75

@stacksjs/stx@0.2.75

⚠ Under review

A performant UI Framework. Powered by Bun.

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 21 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 353 file(s), 49.8 MB of source, external domains: api.netlify.com, app.netlify.com, appimage.github.io, cdn.jsdelivr.net, cdn.usefathom.com, d3js.org, developers.google.com, example.com, github.com, plausible.io, player.twitch.tv, player.vimeo.com, schema.org, storage.googleapis.com, stx.dev, web.dev, www.apple.com, www.dailymotion.com, www.googletagmanager.com, www.sitemaps.org, www.w3.org, www.youtube-nocookie.com

Source & flagged code

10 flagged · loading source
dist/web-components.jsView file
4172L4173: `),Z}async function h1($,Z,Y,X={}){if(!$.trim())return;let J;try{let P=new Bun.Transpiler({loader:"ts",target:"browser",define:o0()}),v=$.replace(/^\s*import\s+\w+\s+from\s+['"][^'... L4174: `),N1=Z.params??{},z0=[],T1=[];for(let e=0;e<x.length;e++){if(x[e]==="params")continue;z0.push(x[e]),T1.push(g[e])}let Y$=await Function("module","exports","require","props","$prop...
High
Child Process

Package source references child process execution.

dist/web-components.jsView on unpkg · L4172
1800@end${K}`;X.push(`Added ${U} missing @end${K}`)}}if(X.length>0&&Z.logRecoveryWarnings)console.warn("[stx] Auto-recovery applied fixes:"),X.forEach((K)=>console.warn(` - ${K}`)),co... L1801: `)}}});import t7 from"path";function fK($){let Z={"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"};return $.replace(/[&<>"']/g,(Y)=>Z[Y]||Y)}function p$($,Z={}){let{allo... L1802: `,V+=`<meta name="title" content="${p(O.title)}">
High
Eval

Package source references dynamic code evaluation.

dist/web-components.jsView on unpkg · L1800
1796`)}writeToFile($){this.writeQueue=this.writeQueue.then(async()=>{try{let Z=await import("fs"),X=(await import("path")).dirname(this.logFilePath);if(!Z.existsSync(X))Z.mkdirSync(X,{... L1797: `;Z.appendFileSync(this.logFilePath,J,"utf-8")}catch(Z){if(process.env.STX_DEBUG==="true")console.error("Failed to write to error log:",Z)}})}async rotateIfNeeded($){try{if(!$.exis... L1798: ... L1800: @end${K}`;X.push(`Added ${U} missing @end${K}`)}}if(X.length>0&&Z.logRecoveryWarnings)console.warn("[stx] Auto-recovery applied fixes:"),X.forEach((K)=>console.warn(` - ${K}`)),co... L1801: `)}}});import t7 from"path";function fK($){let Z={"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"};return $.replace(/[&<>"']/g,(Y)=>Z[Y]||Y)}function p$($,Z={}){let{allo... L1802: `,V+=`<meta name="title" content="${p(O.title)}">
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/web-components.jsView on unpkg · L1796
13} L14: `.trim()}function Z9(){return typeof globalThis.document<"u"&&typeof globalThis.document.createElement==="function"}function YQ($,Z){let Y=[],X=/<img\s+([^>]*)>/gi,J;J=X.exec($);wh... L15: <!-- Fathom Analytics --> ... L491: <span class="stx-clipboard-content">${$}</span> L492: <button type="button" class="stx-clipboard-btn" onclick="navigator.clipboard.writeText(document.querySelector('[data-clipboard-id=\\'${Y}\\'] .stx-clipboard-content').textContent).... L493: </span> ... L611: `});let Y=/import\s*\{([^}]+)\}\s*from\s*['"]@composables['"]\s*;?\n?/g;return $=$.replace(Y,(X,J)=>{return`const { ${J.split(",").map((G)=>G.trim()).filter(Boolean).join(", ")} } ... L612: `}),$}import _9 from"process";function o0($="STX_PUBLIC_"){let Z={},Y={};for(let[X,J]of Object.entries(_9.env)){if(!X.startsWith($)||J===void 0)continue;Z[`import.meta.env.${X}`]=J... L613: export { ${H.join(", ")} }`:"";await Bun.write(_,$+V),console.log("[stx:bundler] bundling:",K,"from:",W0.basename(Z));let A=new Set;try{let w=await Bun.build({entrypoints:[_],outdi... ... L656: // eslint-disable-next-line pickier/no-unused-vars L657: `)}var H9,s1,K7,mQ,O9,uQ,iQ,j9=65536;var F0=C(()=>{H9={maxSanitizeDept
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/web-components.jsView on unpkg · L13
1070`||O==="\r"||O===" "||O===void 0)W++;_=L+9}else{if(W--,W===0){B=F;break}_=F+12}}if(B===-1)continue;let j=$.slice(U,B),H=$.slice(K,B+12);J.push({fullMatch:H,options:z,content:j,inde... L1071: `)}function wO($,Z){if($.length===0)return;let Y=[...$].sort((J,Q)=>J.width-Q.width),X=Y.find((J)=>J.width>=Z);if(X)return X;return Y[Y.length-1]}function AO($,Z){let Y=Z?$.filter(... L1072: <rect fill="rgb(${H},${L},${F})" width="32" height="32"/>
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/web-components.jsView on unpkg · L1070
dist/bundle-analyzer/treemap.jsView file
1// @bun L2: var{defineProperty:O,getOwnPropertyNames:E,getOwnPropertyDescriptor:N}=Object,x=Object.prototype.hasOwnProperty;function T(K){return this[K]}var u=(K)=>{var Q=(C??=new WeakMap).get... L3: <html lang="en"> ... L279: L280: <script src="https://d3js.org/d3.v7.min.js"></script> L281: <script> ... L325: } L326: return d.children ? 0 : getSizeValue({ data: d }); L327: }) ... L496: </body> L497: </html>`}function i(K){let Q={name:"root",size:K.totalSize,gzipSize:K.totalGzipSize,children:[]};for(let X of K.chunks){let W={name:X.name,size:X.size,gzipSize:X.gzipSize,children:...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/bundle-analyzer/treemap.jsView on unpkg · L1
dist/dev-server/serve-file.jsView file
1// @bun L2: var sL=Object.defineProperty;var rL=($)=>$;function oL($,Z){this[$]=rL.bind(null,Z)}var Z0=($,Z)=>{for(var Y in Z)sL($,Y,{get:Z[Y],enumerable:!0,configurable:!0,set:oL.bind(Z,Y)})}... L3: <script> ... L205: } L206: `);if(Q.length===Z.length)return G;return(...K)=>{let W=Array(J.length);for(let U=0;U<J.length;U++)W[U]=K[J[U]];return G(...W)}}function W3($){let Z=$.trim(),Y=[/\beval\s*\(/i,/\bF... L207: Help: ${X}`:Y}function _3($){for(let[Z,Y]of Object.entries(e))if(Y===$)return Z;return}var QF,U3,rG="en",e;var B3=D(()=>{QF={1001:{message:"Unclosed directive: {{directive}}",help:... L208: ${$.message}`),Z&&$.line){let Q=BF(Z,$.line,2);if(Q)X.push(` ... L238: @end${K}`;X.push(`Added ${_} missing @end${K}`)}}if(X.length>0&&Z.logRecoveryWarnings)console.warn("[stx] Auto-recovery applied fixes:"),X.forEach((K)=>console.warn(` - ${K}`)),co... L239: `)}}});import VY from"path";function qF($){let Z={"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"};return $.replace(/[&<>"']/g,(Y)=>Z[Y]||Y)}function B4($,Z={}){let{allo... L240: `)this.advance();return{type:"COMMENT",value:this.source.slice($,this.pos),start:$,end:this.pos,line:Z,column:Y}}readBlockComment($,Z,Y){t
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/dev-server/serve-file.jsView on unpkg · L1
dist/dev-server/serve-markdown.jsView file
13Cross-file remote execution chain: dist/dev-server/serve-markdown.js spawns dist/site-builder/index.js; helper contains network access plus dynamic code execution. L13: } L14: `.trim()}function z9(){return typeof globalThis.document<"u"&&typeof globalThis.document.createElement==="function"}function RQ($,Z){let Y=[],X=/<img\s+([^>]*)>/gi,J;J=X.exec($);wh... L15: <!-- Fathom Analytics --> ... L491: <span class="stx-clipboard-content">${$}</span> L492: <button type="button" class="stx-clipboard-btn" onclick="navigator.clipboard.writeText(document.querySelector('[data-clipboard-id=\\'${Y}\\'] .stx-clipboard-content').textContent).... L493: </span> ... L611: `});let Y=/import\s*\{([^}]+)\}\s*from\s*['"]@composables['"]\s*;?\n?/g;return $=$.replace(Y,(X,J)=>{return`const { ${J.split(",").map((G)=>G.trim()).filter(Boolean).join(", ")} } ... L612: `}),$}import w9 from"process";function o0($="STX_PUBLIC_"){let Z={},Y={};for(let[X,J]of Object.entries(w9.env)){if(!X.startsWith($)||J===void 0)continue;Z[`import.meta.env.${X}`]=J... L613: export { ${H.join(", ")} }`:"";await Bun.write(_,$+V),console.log("[stx:bundler] bundling:",K,"from:",W0.basename(Z));let R=new Set;try{let w=await Bun.buil…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/dev-server/serve-markdown.jsView on unpkg · L13
dist/index.jsView file
1Trigger-reachable chain: manifest.module -> dist/index.js L1: // @bun L2: var sL=Object.defineProperty;var rL=($)=>$;function oL($,Z){this[$]=rL.bind(null,Z)}var Z0=($,Z)=>{for(var Y in Z)sL($,Y,{get:Z[Y],enumerable:!0,configurable:!0,set:oL.bind(Z,Y)})}... L3: `)+` L4: `}function h0($){return $.replace(/\\/g,"\\\\").replace(/"/g,"\\\"").replace(/\n/g,"\\n").replace(/\r/g,"\\r").replace(/\t/g,"\\t")}async function Q4($){let Z={framework:"stx",buil... L5: ... L28: `}J+=`NETLIFY_SITE_ID=${$.siteId} L29: `,await Bun.write(X,J)}return{configPath:Y,siteId:$.siteId}}function eL($){let Z=process.platform,Y=Z==="darwin"?"open":Z==="win32"?"start":"xdg-open";Bun.spawn([Y,$],{stdio:["igno... L30: #${h} { ... L85: <span class="stx-clipboard-content">${$}</span> L86: <button type="button" class="stx-clipboard-btn" onclick="navigator.clipboard.writeText(document.querySelector('[data-clipboard-id=\\'${Y}\\'] .stx-clipboard-content').textContent).... L87: </span> ... L1845: @end${K}`;X.push(`Added ${_} missing @end${K}`)}}if(X.length>0&&Z.logRecoveryWarnings)console.warn("[stx] Auto-recovery applied fixes:"),X.forEach((K)=>console.warn(` - ${K}`)),co...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L1
dist/forms.d.tsView file
71patternName = generic_password severity = medium line = 71 matchedText = * { em...8' }
Medium
Secret Pattern

Hardcoded password in dist/forms.d.ts

dist/forms.d.tsView on unpkg · L71

Findings

2 Critical5 High6 Medium8 Low
CriticalCredential Exfiltrationdist/dev-server/serve-file.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/web-components.js
HighEvaldist/web-components.js
HighSame File Env Network Executiondist/web-components.js
HighObfuscated Payload Loaderdist/web-components.js
HighCross File Remote Execution Contextdist/dev-server/serve-markdown.js
MediumDynamic Requiredist/web-components.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/forms.d.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/bundle-analyzer/treemap.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings