registry  /  @tapi-dev/sdk  /  0.1.34

@tapi-dev/sdk@0.1.34

Official JavaScript and TypeScript client for TAPI developer APIs.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 15 file(s), 172 KB of source, external domains: 127.0.0.1, d4xaf52nfwiok.cloudfront.net, determined-motivation-production.up.railway.app, identitytoolkit.googleapis.com, rsarlong-1f92fd.gitlab.io, securetoken.googleapis.com

Source & flagged code

4 flagged · loading source
dist/cli.jsView file
20patternName = google_api_key severity = high line = 20 matchedText = const DE...gE";
High
High Secret

Package contains a high-severity secret pattern.

dist/cli.jsView on unpkg · L20
matchType = previous_version_dangerous_delta matchedPackage = @tapi-dev/sdk@0.1.31 matchedIdentity = npm:QHRhcGktZGV2L3Nkaw:0.1.31 similarity = 0.786 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
20patternName = google_api_key severity = high line = 20 matchedText = const DE...gE";
High
Secret Pattern

Google API key in dist/cli.js

dist/cli.jsView on unpkg · L20
1006const moduleUrl = pathToFileURL(configPath).href; L1007: const module = await import(moduleUrl); L1008: return module.default ?? module;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L1006

Findings

3 High4 Medium6 Low
HighHigh Secretdist/cli.js
HighPrevious Version Dangerous Deltadist/cli.js
HighSecret Patterndist/cli.js
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License