registry  /  @vibgrate/cli  /  2026.701.1

@vibgrate/cli@2026.701.1

⚠ Under review

CLI for measuring upgrade drift across Node, .NET, Python & Java projects

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 21 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
NoLicense
scanned 13 file(s), 918 KB of source, external domains: adoptium.net, api.nuget.org, api.osv.dev, api.vibgrate.com, artifacthub.io, docs.vibgrate.com, dotnet.microsoft.com, go.dev, hex.pm, hub.docker.com, openvex.dev, owasp.org, raw.githubusercontent.com, registry.npmjs.org, registry.terraform.io, spec.openapis.org, vibgrate.com, www.aicpa-cima.com, www.apache.org, www.iso.org, www.nist.gov, www.python.org, www.rfc-editor.org
Oversized source lightweight scan
dist/hcs-worker.js18.5 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsDynamicRequireHighEntropyStringsUrlStringswww.apache.org

Source & flagged code

10 flagged · loading source
dist/chunk-2GHB73ES.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @vibgrate/cli@2026.630.4 matchedIdentity = npm:QHZpYmdyYXRlL2NsaQ:2026.630.4 similarity = 0.923 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/chunk-2GHB73ES.jsView on unpkg
1import {a}from'./chunk-MKDRULJ6.js';import {p,o,j,n,a as a$1,i,k,d,e,q,r,s}from'./chunk-XTHPCEME.js';import {b}from'./chunk-EK7ODJWE.js';import*as B from'path';import {basename,dir... L2: `&&t[o]!=="\r";o++)c+=t[o];if(c=c.trim(),c[c.length-1]==="/"&&(c=c.substring(0,c.length-1),o--),!La(c)){let p;return c.trim().length===0?p="Invalid space after '<'.":p="Tag '"+c+"'...
High
Child Process

Package source references child process execution.

dist/chunk-2GHB73ES.jsView on unpkg · L1
69${d.name}: ${d.versions.join(", ")} (${d.consumers} consumer${d.consumers!==1?"s":""})`),p++;}let f=a.length-p;l+=u.join(""),f>0&&(l+=` L70: ... and ${f} more`),e.push({title:"Deduplicate heavily-versioned packages",explanation:l,severity:35});}}return e.sort((i,a)=>a.severity-i.severity),e.slice(0,5)}function Cl(t){let... L71: `)}var Ll=/^node_modules\/((?:@[^/]+\/)?[^/]+)$/;function Nl(t){let e=new Map;if(!t||typeof t!="object")return e;let n=t;if(n.packages&&typeof n.packages=="object")for(let[r,s]of O... L72: `))if(!(!s.trim()||s.trimStart().startsWith("#")))if(!/^\s/.test(s))r=s.replace(/:\s*$/,"").split(",").map(o=>o.trim().replace(/^"|"$/g,"")).filter(Boolean);else {let o=/^\s+versio... L73: `)){let r=ps(n);r&&e.push(r);}return e}function Au(t){let e={dependencies:[]},n=t.match(/^\s*name\s*=\s*"([^"]+)"/m);n&&(e.projectName=n[1]);let r=t.match(/^\s*requires-python\s*=\... ... L79: `)){let r=Gu.exec(n);if(!r)continue;let s=r[1],o=r[2].split("-")[0].trim();/^\d/.test(o)&&(e.has(s)||e.set(s,o));}return e}async function Hu(t,e){let n=B.join(t,"Gemfile.lock");if(... L80: `),l=xd(c);l.length&&s.push({version:a,tag:i,url:o.html_url??null,date:o.published_at??null,signals:l,exc
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/chunk-2GHB73ES.jsView on unpkg · L69
69${d.name}: ${d.versions.join(", ")} (${d.consumers} consumer${d.consumers!==1?"s":""})`),p++;}let f=a.length-p;l+=u.join(""),f>0&&(l+=` L70: ... and ${f} more`),e.push({title:"Deduplicate heavily-versioned packages",explanation:l,severity:35});}}return e.sort((i,a)=>a.severity-i.severity),e.slice(0,5)}function Cl(t){let... L71: `)}var Ll=/^node_modules\/((?:@[^/]+\/)?[^/]+)$/;function Nl(t){let e=new Map;if(!t||typeof t!="object")return e;let n=t;if(n.packages&&typeof n.packages=="object")for(let[r,s]of O... L72: `))if(!(!s.trim()||s.trimStart().startsWith("#")))if(!/^\s/.test(s))r=s.replace(/:\s*$/,"").split(",").map(o=>o.trim().replace(/^"|"$/g,"")).filter(Boolean);else {let o=/^\s+versio... L73: `)){let r=ps(n);r&&e.push(r);}return e}function Au(t){let e={dependencies:[]},n=t.match(/^\s*name\s*=\s*"([^"]+)"/m);n&&(e.projectName=n[1]);let r=t.match(/^\s*requires-python\s*=\... ... L78: `)){let r=n.trim();if(!r||r.startsWith("#")||r.startsWith("empty="))continue;let s=Ru.exec(r);if(!s)continue;let o=`${s[1]}:${s[2]}`;e.has(o)||e.set(o,s[3]);}return e}async functio... L79: `)){let r=Gu.exec(n);if(!r)continue;let s=r[1],o=r[2].split("-")[0].trim();/^\d/.test(o)&&(e.has(s)||e.se
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/chunk-2GHB73ES.jsView on unpkg · L69
23`&&o!=="\r"){let i=wn(t,e-1,"]",n-1,r);s.push(i[0]),e=i[1];}}if(!o)throw new R("unfinished array encountered",{toml:t,ptr:e});return [s,e]}function Co(t,e,n,r){let s=e,o=n,i,a=fals... L24: `&&t[a]!=="\r")throw new R("each key-value declaration must be followed by an end-of-line",{toml:t,ptr:a});a=Te(t,a);}return r}var Pt=b(a(),1);var Mt=b(a(),1),Ie=b(a(),1),_e=b(a(),... L25:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-2GHB73ES.jsView on unpkg · L23
dist/cli.jsView file
1#!/usr/bin/env node L2: import'./chunk-JSRJCKDX.js';import {d,c,e,f,b as b$1,a as a$1,h}from'./chunk-JW5BRLSC.js';import {b,fb,Xa,ib,hb,gb,kb,eb}from'./chunk-2GHB73ES.js';import {a}from'./chunk-MKDRULJ6.j... L3: `),console.log(""),console.log(l.green("\u2714")+` DSN written to ${t.write}`),console.log(l.yellow("\u26A0")+" Add this file to .gitignore!");}});function Vt(){return S.join(Ut.ho... L4: `,"utf8");try{ee.chmodSync(n,384);}catch{}}function Gt(){try{return ee.rmSync(de()),!0}catch{return false}}function fe(t){return t||(process.env.VIBGRATE_DSN?process.env.VIBGRATE_... L5: Failing: ${p$1.findings.filter(f=>f.level==="error").length} error finding(s) detected.`)),process.exit(2)),e.failOn==="warn"&&(m||u)&&(console.error(l.red(` ... L33: ... and ${u} more`),e.push({title:"Deduplicate heavily-versioned packages",explanation:p,severity:35});}}return e.sort((s,i)=>i.severity-s.severity),e.slice(0,5)}function Zt(t){let... L34: `)}var nn=new Command("report").description("Generate a drift report from a scan artifact").option("--in <file>","Input artifact file",".vibgrate/scan_result.json").option("--forma... L35: `)),process.exit(1)),e$1.push(...await mr(r));}e$1.push(...t.st
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L1
1Cross-file remote execution chain: dist/cli.js spawns dist/chunk-2GHB73ES.js; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: import'./chunk-JSRJCKDX.js';import {d,c,e,f,b as b$1,a as a$1,h}from'./chunk-JW5BRLSC.js';import {b,fb,Xa,ib,hb,gb,kb,eb}from'./chunk-2GHB73ES.js';import {a}from'./chunk-MKDRULJ6.j... L3: `),console.log(""),console.log(l.green("\u2714")+` DSN written to ${t.write}`),console.log(l.yellow("\u26A0")+" Add this file to .gitignore!");}});function Vt(){return S.join(Ut.ho... L4: `,"utf8");try{ee.chmodSync(n,384);}catch{}}function Gt(){try{return ee.rmSync(de()),!0}catch{return false}}function fe(t){return t||(process.env.VIBGRATE_DSN?process.env.VIBGRATE_... L5: Failing: ${p$1.findings.filter(f=>f.level==="error").length} error finding(s) detected.`)),process.exit(2)),e.failOn==="warn"&&(m||u)&&(console.error(l.red(` ... L33: ... and ${u} more`),e.push({title:"Deduplicate heavily-versioned packages",explanation:p,severity:35});}}return e.sort((s,i)=>i.severity-s.severity),e.slice(0,5)}function Zt(t){let... L34: `)}var nn=new Command("report").description("Generate a drift report from a scan artifact").option("--in <file>",…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L1
dist/hcs-wasm/vibgrate_hcs_wasm_bg.wasmView file
path = dist/hcs-wasm/vibgrate_hcs_wasm_bg.wasm kind = wasm_module sizeBytes = 2161245 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/hcs-wasm/vibgrate_hcs_wasm_bg.wasmView on unpkg
dist/hcs-worker.jsView file
path = dist/hcs-worker.js kind = oversized_source_file sizeBytes = 19407955 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/hcs-worker.jsView on unpkg
path = dist/hcs-worker.js kind = oversized_cli_entrypoint sizeBytes = 19407955 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/hcs-worker.jsView on unpkg

Findings

1 Critical6 High7 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/chunk-2GHB73ES.js
HighChild Processdist/chunk-2GHB73ES.js
HighSame File Env Network Executiondist/chunk-2GHB73ES.js
HighCommand Output Exfiltrationdist/chunk-2GHB73ES.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighCross File Remote Execution Contextdist/cli.js
HighOversized Source Filedist/hcs-worker.js
MediumDynamic Requiredist/chunk-2GHB73ES.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Wasm Moduledist/hcs-wasm/vibgrate_hcs_wasm_bg.wasm
MediumOversized Cli Entrypointdist/hcs-worker.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License