registry  /  @streetjs/cli  /  1.2.7

@streetjs/cli@1.2.7

⚠ Under review

Street Framework CLI — scaffold, generate, migrate, and run TypeScript backend projects.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 445 KB of source, external domains: admin.example.com, app.example.com, esm.sh, github.com, hassanmubiru.github.io, htmx.org, nodejs.org, plugins.streetjs.dev, unpkg.com, www.npmjs.com

Source & flagged code

7 flagged · loading source
dist/commands/start.jsView file
2// `street start` — runs the compiled production server. L3: import { spawn } from 'node:child_process'; L4: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/commands/start.jsView on unpkg · L2
dist/commands/test.jsView file
76stdio: 'inherit', L77: shell: true, L78: });
High
Shell

Package source references shell execution.

dist/commands/test.jsView on unpkg · L76
73return new Promise((resolvePromise, reject) => { L74: const tsc = spawn('npx', ['tsc', '--project', 'tsconfig.json'], { L75: cwd: projectDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/test.jsView on unpkg · L73
dist/commands/create.jsView file
398constructor( L399: private readonly orgs: OrgRepository, L400: private readonly members: MembershipWriteRepository, ... L672: L673: const token = randomBytes(32).toString('base64url'); // unique invite token L674: const expiresAt = new Date(Date.now() + INVITE_TTL_MS); ... L816: /** Environment label embedded in the prefix (e.g. "live", "test"). */ L817: private readonly environment: string = process.env['NODE_ENV'] === 'production' ? 'live' : 'test', L818: ) {} ... L1443: type: string; L1444: data: { object: Record<string, unknown> }; L1445: }
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/commands/create.jsView on unpkg · L398
398Trigger-reachable chain: manifest.main -> dist/index.js -> dist/commands/create.js L398: constructor( L399: private readonly orgs: OrgRepository, L400: private readonly members: MembershipWriteRepository, ... L672: L673: const token = randomBytes(32).toString('base64url'); // unique invite token L674: const expiresAt = new Date(Date.now() + INVITE_TTL_MS); ... L816: /** Environment label embedded in the prefix (e.g. "live", "test"). */ L817: private readonly environment: string = process.env['NODE_ENV'] === 'production' ? 'live' : 'test', L818: ) {} ... L1443: type: string; L1444: data: { object: Record<string, unknown> }; L1445: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/commands/create.jsView on unpkg · L398
dist/commands/generate.jsView file
94package = @streetjs/cli; repositoryIdentity = streetjs; dependency = streetjs L94: const output = String(ctx.args.flags['output'] ?? './sdk'); L95: const core = await import('streetjs'); L96: let specRaw;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/commands/generate.jsView on unpkg · L94
dist/commands/add.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @streetjs/cli@1.2.1 matchedIdentity = npm:QHN0cmVldGpzL2NsaQ:1.2.1 similarity = 0.962 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/add.jsView on unpkg

Findings

3 Critical4 High4 Medium5 Low
CriticalCredential Exfiltrationdist/commands/create.js
CriticalTrigger Reachable Dangerous Capabilitydist/commands/create.js
CriticalPrevious Version Dangerous Deltadist/commands/add.js
HighChild Processdist/commands/start.js
HighShelldist/commands/test.js
HighCopied Package Dependency Bridgedist/commands/generate.js
HighRuntime Package Installdist/commands/test.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings