registry  /  @sveltia/cms  /  0.170.6

@sveltia/cms@0.170.6

⚠ Under review

Sveltia CMS is a modern, lightweight, Git-based headless content management system.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireNetwork
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.75 MB of source, external domains: ai.google.dev, aistudio.google.com, api-docs.deepseek.com, api.anthropic.com, api.deepseek.com, api.github.com, api.mistral.ai, api.netlify.com, api.openai.com, api.pexels.com, api.unsplash.com, api.uploadcare.com, app.uploadcare.com, aws.amazon.com, bsky.app, cloud.digitalocean.com, cloudinary.com, codeberg.org, console.aws.amazon.com, console.cloud.google.com, console.cloudinary.com, console.mistral.ai, console.scaleway.com, dash.cloudflare.com, developers.cloudflare.com, discord.com, docs.aws.amazon.com, docs.claude.com, docs.digitalocean.com, docs.mistral.ai, fonts.googleapis.com, fonts.gstatic.com, generativelanguage.googleapis.com, gitea.com, github.com, gitlab.com, lea.verou.me, lexical.dev, opensource.org, picsum.photos, pixabay.com, platform.claude.com, platform.deepseek.com, platform.openai.com, react.dev, secure.backblaze.com, stackoverflow.com, status-api.hostedstatus.com, status.gitlab.com, supabase.com

Source & flagged code

5 flagged · loading source
dist/sveltia-cms.mjsView file
1var e=Object.create,t=Object.defineProperty,n=Object.getOwnPropertyDescriptor,r=Object.getOwnPropertyNames,i=Object.getPrototypeOf,a=Object.prototype.hasOwnProperty,o=(e,t,n)=>()=>... L2: /** ... L16: */ L17: var n=Object.getOwnPropertySymbols,r=Object.prototype.hasOwnProperty,i=Object.prototype.propertyIsEnumerable;function a(e){if(e==null)throw TypeError(`Object.assign cannot be calle... L18: \r\f\xA0\v`]}));function os(e,t,n,r,i,a){var o=e[Fe];if(bt||o!==n||o===void 0){var s=es(n,r,a);(!bt||s!==e.getAttribute(`class`))&&(s==null?e.removeAttribute(`class`):t?e.classNam... ... L42: */ L43: function uc(e){return!!(e&&e[xd])}function dc(e){return!!(e&&e[Sd])}function fc(e){return dc(e)||uc(e)}function pc(e){return!!(e&&e[Cd])}function mc(e,t,n,r){var i=e===Od?t:e===kd?... L44: `),Up=async e=>{let t=typeof e==`string`?new Blob([e],{type:`text/plain`}):e,n=new FileReader;return new Promise((e,r)=>{n.onload=()=>{e(n.result)},n.onerror=()=>{r(n.error)},n.rea... L45: \r  `),Nm=(e,t)=>new _m(`missing-syntax`,e,e+t.length,t),Pm=(...e)=>new _m(...e)}));function kee(e,t){let{node:n,pattern:r}=t,{functionRef:i=n,attributes:a=null,declaration:o=n,exp... L46: `)}},xg.defaultYaml={explicit:
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/sveltia-cms.mjsView on unpkg · L1
126contains invisible/control Unicode U+FEFF (zero width no-break space) `)+(a.substring(1)||` `),n=!0,r=!1;break;case`%`:e[i+1]?.[0]!==`#`&&(i+=1),n=!1;break;default:n||(r=!0),n=!1}}return{comment:t,afterEmptyLine:r}}var iy,ay=o((()=>{Sg(),Mv(),Iv(),sg(),wne(),Wv(),iy=class{constructor(e={}){this.doc=null,this.
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/sveltia-cms.mjsView on unpkg · L126
1Trigger-reachable chain: manifest.main -> dist/sveltia-cms.mjs L1: var e=Object.create,t=Object.defineProperty,n=Object.getOwnPropertyDescriptor,r=Object.getOwnPropertyNames,i=Object.getPrototypeOf,a=Object.prototype.hasOwnProperty,o=(e,t,n)=>()=>... L2: /** ... L16: */ L17: var n=Object.getOwnPropertySymbols,r=Object.prototype.hasOwnProperty,i=Object.prototype.propertyIsEnumerable;function a(e){if(e==null)throw TypeError(`Object.assign cannot be calle... L18: \r\f\xA0\v`]}));function os(e,t,n,r,i,a){var o=e[Fe];if(bt||o!==n||o===void 0){var s=es(n,r,a);(!bt||s!==e.getAttribute(`class`))&&(s==null?e.removeAttribute(`class`):t?e.classNam... ... L42: */ L43: function uc(e){return!!(e&&e[xd])}function dc(e){return!!(e&&e[Sd])}function fc(e){return dc(e)||uc(e)}function pc(e){return!!(e&&e[Cd])}function mc(e,t,n,r){var i=e===Od?t:e===kd?... L44: `),Up=async e=>{let t=typeof e==`string`?new Blob([e],{type:`text/plain`}):e,n=new FileReader;return new Promise((e,r)=>{n.onload=()=>{e(n.result)},n.onerror=()=>{r(n.error)},n.rea... L45: \r  `),Nm=(e,t)=>new _m(`missing-syntax`,e,e+t.length,t),Pm=(...e)=>new _m(...e)}));function kee(e,t){let{node:n,pattern:r}=t,{functionRef:i=n,attributes:a…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/sveltia-cms.mjsView on unpkg · L1
688`}isInline(){return!1}updateDOM(){return!1}},Date.now}));function wX(e,...t){let n=new URL(`https://lexical.dev/docs/error`),r=new URLSearchParams;r.append(`code`,e);for(let e of t... L689: `){let e=EV(),t=HH(),r=n.isBackward()?`previous`:`next`;return n.insertNodes([e,t]),bG(kG(dG(iG(e,`next`,0),EG(rG(t,`next`))),r)),!0}for(let a=0;a<i;a++){let i=r[a];if(i.length>0){... L690: `+ ++o);n.setAttribute(`data-gutter`,a)}function TZ(e,t,n,r){let{nodesCurrentlyHighlighting:i}=n,a=r.getKey();r.getLanguage()===void 0&&t.defaultLanguage!==null&&r.setLanguage(t.de...
High
Child Process

Package source references child process execution.

dist/sveltia-cms.mjsView on unpkg · L688
642`),_=`AWS4-HMAC-SHA256`,v=`${d}/${o}/${s}/aws4_request`,y=[_,u,v,await zA(g)].join(` L643: `),b=await RA(`AWS4${a}`,d),x=await RA(b,o),S=await RA(x,s),C=await RA(S,`aws4_request`),w=await RA(C,y),T=Array.from(w).map(e=>e.toString(16).padStart(2,`0`)).join(``);return[`${_... L644: @media (width < 768px) {.floating-action-button-wrapper.svelte-10zy6kp {display:block;position:fixed;inset-inline-end:16px;inset-block-end:72px;z-index:100;}.floating-action-button...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/sveltia-cms.mjsView on unpkg · L642

Findings

3 Critical1 High4 Medium2 Low
CriticalDownload Executedist/sveltia-cms.mjs
CriticalTrojan Source Unicodedist/sveltia-cms.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/sveltia-cms.mjs
HighChild Processdist/sveltia-cms.mjs
MediumDynamic Requiredist/sveltia-cms.mjs
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowHigh Entropy Strings
LowUrl Strings