Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystem
UrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node scripts/preinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.preinstall = node scripts/preinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgscripts/preinstall.jsView file
6Manifest entrypoint (scripts.preinstall) carries capability families absent from dist/build output: environment+network
L6: // In the monorepo, Bun workspace links this package directly, so this script
L7: // is only hit during `npm publish` or external installs.
L8:
L9: const ua = process.env.npm[redacted] || '';
L10: if (process.versions.bun || ua.startsWith('bun/') || ua.startsWith('bun ')) {
...
L17:
L18: process.stderr.write(
L19: [
...
L25: '',
L26: ' Get Bun: https://bun.sh',
L27: '',
High
Entrypoint Build Divergence
Manifest entrypoint contains risky behavior absent from dist/build output.
scripts/preinstall.jsView on unpkg · L6Findings
2 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighEntrypoint Build Divergencescripts/preinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings