registry  /  @stencil/dev-server  /  5.0.0-alpha.25

@stencil/dev-server@5.0.0-alpha.25

Development server for Stencil with DOM-based HMR

Static Scan Results

scanned 7h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 105 KB of source, external domains: dev.stenciljs.com

Source & flagged code

5 flagged · loading source
dist/index.mjsView file
9import * as zlib from "node:zlib"; L10: import { fork } from "node:child_process"; L11: //#region src/server/utils.ts
High
Child Process

Package source references child process execution.

dist/index.mjsView on unpkg · L9
1308let serverProcess = fork(path.join(import.meta.dirname, "worker-thread.js"), [], { L1309: execArgv: process.execArgv.filter((v) => !/^--(debug|inspect)/.test(v)), L1310: env: process.env,
High
Shell

Package source references shell execution.

dist/index.mjsView on unpkg · L1308
1297* Worker process proxy for dev server. L1298: * Forks a child process to run the HTTP and WebSocket server in isolation. L1299: */ ... L1307: function initServerProcessWorkerProxy(sendToMain) { L1308: let serverProcess = fork(path.join(import.meta.dirname, "worker-thread.js"), [], { L1309: execArgv: process.execArgv.filter((v) => !/^--(debug|inspect)/.test(v)), L1310: env: process.env, L1311: cwd: process.cwd(),
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.mjsView on unpkg · L1297
400package = @stencil/dev-server; repositoryIdentity = core; dependency = launch-editor L400: try { L401: const mod = await import("launch-editor"); L402: launchEditor = mod.default || mod;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/index.mjsView on unpkg · L400
392async function openInBrowser(opts) { L393: const { default: open } = await import("open"); L394: await open(opts.url);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.mjsView on unpkg · L392

Findings

4 High4 Medium4 Low
HighChild Processdist/index.mjs
HighShelldist/index.mjs
HighSame File Env Network Executiondist/index.mjs
HighCopied Package Dependency Bridgedist/index.mjs
MediumDynamic Requiredist/index.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings