registry  /  @sveltia/cms  /  0.169.1

@sveltia/cms@0.169.1

⚠ Under review

Sveltia CMS is a modern, lightweight, Git-based headless content management system.

Static Scan Results

scanned 11d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireNetwork
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.76 MB of source, external domains: ai.google.dev, aistudio.google.com, api-docs.deepseek.com, api.anthropic.com, api.deepseek.com, api.github.com, api.mistral.ai, api.netlify.com, api.openai.com, api.pexels.com, api.unsplash.com, api.uploadcare.com, app.uploadcare.com, aws.amazon.com, bsky.app, cloud.digitalocean.com, cloudinary.com, codeberg.org, console.aws.amazon.com, console.cloud.google.com, console.cloudinary.com, console.mistral.ai, console.scaleway.com, dash.cloudflare.com, developers.cloudflare.com, discord.com, docs.aws.amazon.com, docs.claude.com, docs.digitalocean.com, docs.mistral.ai, fonts.googleapis.com, fonts.gstatic.com, generativelanguage.googleapis.com, gitea.com, github.com, gitlab.com, lea.verou.me, lexical.dev, opensource.org, picsum.photos, pixabay.com, platform.claude.com, platform.deepseek.com, platform.openai.com, react.dev, secure.backblaze.com, stackoverflow.com, status-api.hostedstatus.com, status.gitlab.com, supabase.com

Source & flagged code

5 flagged · loading source
dist/sveltia-cms.mjsView file
1var e=Object.create,t=Object.defineProperty,n=Object.getOwnPropertyDescriptor,r=Object.getOwnPropertyNames,i=Object.getPrototypeOf,a=Object.prototype.hasOwnProperty,o=(e,t)=>()=>(e... L2: /** ... L16: */ L17: var n=Object.getOwnPropertySymbols,r=Object.prototype.hasOwnProperty,i=Object.prototype.propertyIsEnumerable;function a(e){if(e==null)throw TypeError(`Object.assign cannot be calle... L18: \r\f\xA0\v`]}));function ls(e,t,n,r,i,a){var o=e[Pe];if(yt||o!==n||o===void 0){var s=rs(n,r,a);(!yt||s!==e.getAttribute(`class`))&&(s==null?e.removeAttribute(`class`):t?e.classNam... ... L42: */ L43: function hc(e){return!!(e&&e[kd])}function gc(e){return!!(e&&e[Ad])}function _c(e){return gc(e)||hc(e)}function vc(e){return!!(e&&e[jd])}function yc(e,t,n,r){var i=e===Id?t:e===Ld?... L44: `),Zp=async e=>{let t=typeof e==`string`?new Blob([e],{type:`text/plain`}):e,n=new FileReader;return new Promise((e,r)=>{n.onload=()=>{e(n.result)},n.onerror=()=>{r(n.error)},n.rea... L45: \r  `),Wm=(e,t)=>new Tm(`missing-syntax`,e,e+t.length,t),Gm=(...e)=>new Tm(...e)}));function _ee(e,t){let{node:n,pattern:r}=t,{functionRef:i=n,attributes:a=null,declaration:o=n,exp... L46: `)}},Lg.defaultYaml={explicit:
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/sveltia-cms.mjsView on unpkg · L1
126contains invisible/control Unicode U+FEFF (zero width no-break space) `)+(a.substring(1)||` `),n=!0,r=!1;break;case`%`:e[i+1]?.[0]!==`#`&&(i+=1),n=!1;break;default:n||(r=!0),n=!1}}return{comment:t,afterEmptyLine:r}}var Qte,$te=o((()=>{Rg(),cy(),py(),Cg(),Xte(),wy(),Qte=class{constructor(e={}){this.doc=null,th
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/sveltia-cms.mjsView on unpkg · L126
1Trigger-reachable chain: manifest.main -> dist/sveltia-cms.mjs L1: var e=Object.create,t=Object.defineProperty,n=Object.getOwnPropertyDescriptor,r=Object.getOwnPropertyNames,i=Object.getPrototypeOf,a=Object.prototype.hasOwnProperty,o=(e,t)=>()=>(e... L2: /** ... L16: */ L17: var n=Object.getOwnPropertySymbols,r=Object.prototype.hasOwnProperty,i=Object.prototype.propertyIsEnumerable;function a(e){if(e==null)throw TypeError(`Object.assign cannot be calle... L18: \r\f\xA0\v`]}));function ls(e,t,n,r,i,a){var o=e[Pe];if(yt||o!==n||o===void 0){var s=rs(n,r,a);(!yt||s!==e.getAttribute(`class`))&&(s==null?e.removeAttribute(`class`):t?e.classNam... ... L42: */ L43: function hc(e){return!!(e&&e[kd])}function gc(e){return!!(e&&e[Ad])}function _c(e){return gc(e)||hc(e)}function vc(e){return!!(e&&e[jd])}function yc(e,t,n,r){var i=e===Id?t:e===Ld?... L44: `),Zp=async e=>{let t=typeof e==`string`?new Blob([e],{type:`text/plain`}):e,n=new FileReader;return new Promise((e,r)=>{n.onload=()=>{e(n.result)},n.onerror=()=>{r(n.error)},n.rea... L45: \r  `),Wm=(e,t)=>new Tm(`missing-syntax`,e,e+t.length,t),Gm=(...e)=>new Tm(...e)}));function _ee(e,t){let{node:n,pattern:r}=t,{functionRef:i=n,attributes:a…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/sveltia-cms.mjsView on unpkg · L1
688`}isInline(){return!1}updateDOM(){return!1}},new Set([TJ,wJ]),Date.now}));function GX(e,...t){let n=new URL(`https://lexical.dev/docs/error`),r=new URLSearchParams;r.append(`code`,... L689: `){let e=HV(),t=ZH(),r=n.isBackward()?`previous`:`next`;return n.insertNodes([e,t]),EG(FG(_G(uG(e,`next`,0),MG(lG(t,`next`))),r)),!0}for(let a=0;a<i;a++){let i=r[a];if(i.length>0){... L690: `+ ++o);n.setAttribute(`data-gutter`,a)}function rQ(e,t,n,r){let{nodesCurrentlyHighlighting:i}=n,a=r.getKey();r.getLanguage()===void 0&&t.defaultLanguage!==null&&r.setLanguage(t.de...
High
Child Process

Package source references child process execution.

dist/sveltia-cms.mjsView on unpkg · L688
642`),_=`AWS4-HMAC-SHA256`,v=`${d}/${o}/${s}/aws4_request`,y=[_,u,v,await xA(g)].join(` L643: `),b=await bA(await bA(await bA(await bA(await bA(`AWS4${a}`,d),o),s),`aws4_request`),y),x=Array.from(b).map(e=>e.toString(16).padStart(2,`0`)).join(``);return[`${_} Credential=${i... L644: @media (width < 768px) {.floating-action-button-wrapper.svelte-15rj2u {display:block;position:fixed;inset-inline-end:16px;inset-block-end:72px;z-index:100;}.floating-action-button-...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/sveltia-cms.mjsView on unpkg · L642

Findings

3 Critical1 High4 Medium2 Low
CriticalDownload Executedist/sveltia-cms.mjs
CriticalTrojan Source Unicodedist/sveltia-cms.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/sveltia-cms.mjs
HighChild Processdist/sveltia-cms.mjs
MediumDynamic Requiredist/sveltia-cms.mjs
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowHigh Entropy Strings
LowUrl Strings