registry  /  @vibgrate/cli  /  2026.630.4

@vibgrate/cli@2026.630.4

CLI for measuring upgrade drift across Node, .NET, Python & Java projects

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 20 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
NoLicense
scanned 13 file(s), 920 KB of source, external domains: adoptium.net, api.nuget.org, api.osv.dev, api.vibgrate.com, artifacthub.io, docs.vibgrate.com, dotnet.microsoft.com, go.dev, hex.pm, hub.docker.com, openvex.dev, owasp.org, raw.githubusercontent.com, registry.npmjs.org, registry.terraform.io, spec.openapis.org, vibgrate.com, www.aicpa-cima.com, www.apache.org, www.iso.org, www.nist.gov, www.python.org, www.rfc-editor.org
Oversized source lightweight scan
dist/hcs-worker.js18.5 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsDynamicRequireHighEntropyStringsUrlStringswww.apache.org

Source & flagged code

9 flagged · loading source
dist/chunk-23ZMCWVP.jsView file
1import {kb}from'./chunk-56LSK5QE.js';import*as s from'path';import {Command}from'commander';import r from'chalk';import {execFile}from'child_process';import*as i from'fs/promises';... L2: `,"utf8");}async function E(e,t){await m(s.dirname(e)),await i.writeFile(e,t,"utf8");}var n;async function f(){if(n!==void 0)return n??void 0;try{n=(await import('./dist-VOCNX34F.j...
High
Child Process

Package source references child process execution.

dist/chunk-23ZMCWVP.jsView on unpkg · L1
dist/hcs-wasm/vibgrate_hcs_wasm.jsView file
445const wasmPath = `${__dirname}/vibgrate_hcs_wasm_bg.wasm`; L446: const wasmBytes = require('fs').readFileSync(wasmPath); L447: const wasmModule = new WebAssembly.Module(wasmBytes);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/hcs-wasm/vibgrate_hcs_wasm.jsView on unpkg · L445
dist/cli.jsView file
1#!/usr/bin/env node L2: import'./chunk-7BUL2K2V.js';import {d,c,e,f,b as b$1,a as a$1,h}from'./chunk-23ZMCWVP.js';import {b,fb,Xa,ib,hb,gb,kb,eb}from'./chunk-56LSK5QE.js';import {a}from'./chunk-MKDRULJ6.j... L3: `),console.log(""),console.log(l.green("\u2714")+` DSN written to ${t.write}`),console.log(l.yellow("\u26A0")+" Add this file to .gitignore!");}});function Vt(){return S.join(Ut.ho... L4: `,"utf8");try{ee.chmodSync(n,384);}catch{}}function Gt(){try{return ee.rmSync(de()),!0}catch{return false}}function fe(t){return t||(process.env.VIBGRATE_DSN?process.env.VIBGRATE_... L5: Failing: ${p$1.findings.filter(f=>f.level==="error").length} error finding(s) detected.`)),process.exit(2)),e.failOn==="warn"&&(m||u)&&(console.error(l.red(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
33... and ${u} more`),e.push({title:"Deduplicate heavily-versioned packages",explanation:p,severity:35});}}return e.sort((s,i)=>i.severity-s.severity),e.slice(0,5)}function Zt(t){let... L34: `)}var nn=new Command("report").description("Generate a drift report from a scan artifact").option("--in <file>","Input artifact file",".vibgrate/scan_result.json").option("--forma... L35: `)),process.exit(1)),e$1.push(...await mr(r));}e$1.push(...t.statement);let n=fr({author:t.author,defaultProduct:t.product,timestamp:t.timestamp,id:t.id,statements:e$1}),o=JSON.str...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L33
1#!/usr/bin/env node L2: import'./chunk-7BUL2K2V.js';import {d,c,e,f,b as b$1,a as a$1,h}from'./chunk-23ZMCWVP.js';import {b,fb,Xa,ib,hb,gb,kb,eb}from'./chunk-56LSK5QE.js';import {a}from'./chunk-MKDRULJ6.j... L3: `),console.log(""),console.log(l.green("\u2714")+` DSN written to ${t.write}`),console.log(l.yellow("\u26A0")+" Add this file to .gitignore!");}});function Vt(){return S.join(Ut.ho... L4: `,"utf8");try{ee.chmodSync(n,384);}catch{}}function Gt(){try{return ee.rmSync(de()),!0}catch{return false}}function fe(t){return t||(process.env.VIBGRATE_DSN?process.env.VIBGRATE_... L5: Failing: ${p$1.findings.filter(f=>f.level==="error").length} error finding(s) detected.`)),process.exit(2)),e.failOn==="warn"&&(m||u)&&(console.error(l.red(` ... L33: ... and ${u} more`),e.push({title:"Deduplicate heavily-versioned packages",explanation:p,severity:35});}}return e.sort((s,i)=>i.severity-s.severity),e.slice(0,5)}function Zt(t){let... L34: `)}var nn=new Command("report").description("Generate a drift report from a scan artifact").option("--in <file>","Input artifact file",".vibgrate/scan_result.json").option("--forma... L35: `)),process.exit(1)),e$1.push(...await mr(r));}e$1.push(...t.st
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L1
1Cross-file remote execution chain: dist/cli.js spawns dist/chunk-7BUL2K2V.js; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: import'./chunk-7BUL2K2V.js';import {d,c,e,f,b as b$1,a as a$1,h}from'./chunk-23ZMCWVP.js';import {b,fb,Xa,ib,hb,gb,kb,eb}from'./chunk-56LSK5QE.js';import {a}from'./chunk-MKDRULJ6.j... L3: `),console.log(""),console.log(l.green("\u2714")+` DSN written to ${t.write}`),console.log(l.yellow("\u26A0")+" Add this file to .gitignore!");}});function Vt(){return S.join(Ut.ho... L4: `,"utf8");try{ee.chmodSync(n,384);}catch{}}function Gt(){try{return ee.rmSync(de()),!0}catch{return false}}function fe(t){return t||(process.env.VIBGRATE_DSN?process.env.VIBGRATE_... L5: Failing: ${p$1.findings.filter(f=>f.level==="error").length} error finding(s) detected.`)),process.exit(2)),e.failOn==="warn"&&(m||u)&&(console.error(l.red(` ... L33: ... and ${u} more`),e.push({title:"Deduplicate heavily-versioned packages",explanation:p,severity:35});}}return e.sort((s,i)=>i.severity-s.severity),e.slice(0,5)}function Zt(t){let... L34: `)}var nn=new Command("report").description("Generate a drift report from a scan artifact").option("--in <file>",…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L1
dist/hcs-wasm/vibgrate_hcs_wasm_bg.wasmView file
path = dist/hcs-wasm/vibgrate_hcs_wasm_bg.wasm kind = wasm_module sizeBytes = 2161245 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/hcs-wasm/vibgrate_hcs_wasm_bg.wasmView on unpkg
dist/hcs-worker.jsView file
path = dist/hcs-worker.js kind = oversized_source_file sizeBytes = 19407955 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/hcs-worker.jsView on unpkg
path = dist/hcs-worker.js kind = oversized_cli_entrypoint sizeBytes = 19407955 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/hcs-worker.jsView on unpkg

Findings

6 High7 Medium7 Low
HighChild Processdist/chunk-23ZMCWVP.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighCross File Remote Execution Contextdist/cli.js
HighOversized Source Filedist/hcs-worker.js
MediumDynamic Requiredist/hcs-wasm/vibgrate_hcs_wasm.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Wasm Moduledist/hcs-wasm/vibgrate_hcs_wasm_bg.wasm
MediumOversized Cli Entrypointdist/hcs-worker.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License