registry  /  @visulima/vis  /  1.0.0

@visulima/vis@1.0.0

A monorepo dev toolkit — task runner, remote caching, security scanning, git hooks, and AI agent integrations — powered by @visulima/task-runner

Static Scan Results

scanned 6h ago · by rust-scanner

Static analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 234 file(s), 6.30 MB of source, external domains: anolilab.com, api.deps.dev, api.github.com, api.npmjs.org, api.osv.dev, api.snyk.io, api.socket.dev, bitbucket.org, bloom.example.com, bun.sh, cdn.jsdelivr.net, crates.io, cyclonedx.org, endevco.github.io, git.sr.ht, github.com, gitlab.com, in-toto.io, json.schemastore.org, jsr.io, mirror.example.com, npmjs.com, npms.io, npmx.dev, nvd.nist.gov, osv-vulnerabilities.storage.googleapis.com, osv.dev, pypi.org, raw.githubusercontent.com, react.dev, registry.npmjs.org, repo1.maven.org, slsa.dev, tailwindcss.com, token.actions.githubusercontent.com, visulima.com, www.npmjs.com, www.w3.org

Source & flagged code

10 flagged · loading source
bin/vis.mjsView file
14L15: import { spawnSync } from "node:child_process"; L16: import { readFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/vis.mjsView on unpkg · L14
7// fall-through path is byte-identical to running `dist/bin.js` directly, so the L8: // launcher adds no extra Node boot for delegated commands — it `import()`s the L9: // same entry in the same process.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/vis.mjsView on unpkg · L7
dist/packem_chunks/handler77.jsView file
42`;await at(e,t)},Un=async s=>{const e=process.env.HISTFILE??oe(vt(),".bash_history");await at(e,`${jt(s)} L43: `)},Vn=async s=>{const e=process.env.VIS_PSREADLINE_HISTORY,t=process.env.APPDATA;if(e===void 0&&(t===void 0||t===""))return;const r=e??oe(t,"Microsoft","Windows","PowerShell","PSR... L44: `)},Hn=async s=>{const e=oe(vt(),".local","share","fish","fish_history"),t=`- cmd: ${s.replaceAll("\\","\\\\").replaceAll(`
High
Shell

Package source references shell execution.

dist/packem_chunks/handler77.jsView on unpkg · L42
1Cross-file remote execution chain: dist/packem_chunks/handler77.js spawns dist/packem_shared/env-DdQRnEIy.js; helper contains network access plus dynamic code execution. L1: import{createRequire as rr}from"node:module";import{m as oe,H as js,J as nr,y as or,T as $s,v as ar,l as cr}from"../packem_shared/index-CE6MsgcV.js";import{expandAffected as lr,get... L2: Delete this file to be asked again. L3: `)}catch{}},Hi=(s,e="npm")=>{const t=`${e} install`;if((e==="pnpm"||e==="aube")&&Ae(oe(s,st))&&qi(s))return{file:st,installCommand:t};const r=oe(s,"package.json"),o=As(r);if(!o)ret... L4: `)}catch{return}return{file:"package.json",installCommand:t}},zi=async(s,e)=>{const t=Ui(s,e.projectManifests);if(!t.present||t.alreadyOverridden||t.declined)return!1;const r=Ss({i... L5: `),cn=async s=>{if(s.length===0||!process.stdin.isTTY||!process.stdout.isTTY)return;const e=Ss({input:process.stdin,output:process.stdout});try{process.stdout.write(`Available targ... L6: `);for(const[o,a]of s.entries())process.stdout.write(` ${String(o+1).padStart(2," ")}. ${a} ... L14: ${p} L15: ${s}`}catch{return s}},xn={delimiter:" ",language:{d:()=>" d",future:"in %s",h:()=>" h",m:()=>" m",mo:()=>" mo",ms:()=>" …
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/packem_chunks/handler77.jsView on unpkg · L1
dist/packem_shared/docker-BYqiD711.jsView file
12`+o)),h},Qr=d,Qr}var en,Ci;function Le(){if(Ci)return en;Ci=1;var l=rr(),d=["kind","resolve","construct","instanceOf","predicate","represent","defaultStyle","styleAliases"],A=["sca... L13: \r`;function h(m){if(m===null)return!1;var S,E,Y=0,y=m.length,b=o;for(E=0;E<y;E++)if(S=b.indexOf(m.charAt(E)),!(S>64)){if(S<0)return!1;Y+=6}return Y%8===0}function e(m){var S,E,Y=m... L14: `:r===118?"\v":r===102?"\f":r===114?"\r":r===101?"\x1B":r===32?" ":r===34?'"':r===47?"/":r===92?"\\":r===78?"…":r===95?" ":r===76?"\u2028":r===80?"\u2029":""}function Oe(r){return ...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/packem_shared/docker-BYqiD711.jsView on unpkg · L12
dist/packem_chunks/cli-main.jsView file
1import{createRequire as FC}from"node:module";import{d as WC,c as Lr,V as IC,h as _C,e as zC,r as KC}from"../packem_shared/index-jJNulo5i.js";import{T as ui,F as Gf,m as L,e as Jl,H... L2: `))}};const Pl=["bash","zsh","fish","powershell"],Nl=["node","bun","deno"],FY=e=>"Deno"in e,QY=e=>"Bun"in e,$p=()=>FY(globalThis)?"deno":QY(globalThis)?"bun":"node",Zp=e=>{const i=... ... L4: `)),s}else{const r=["Failed to generate completion script",`Error: ${s instanceof Error?s.message:String(s)}`,"","Troubleshooting:"," • Ensure @bomb.sh/tab is installed: pnpm add ... L5: `))}}},name:"completion",options:[{defaultOption:!0,defaultValue:Zp(),description:"Shell type (bash, zsh, fish, powershell). Defaults to current shell if detected.",name:"shell",ty... L6: `);let n=0;for(;i[n]&&i[n].trim().match(/^(#|$)/);)n++;const o=i.length;let a=n+1;for(;a<o&&i[a].trim();)a++;return i.slice(n,a).join(" ").trim()}return jd}var mm={dependancies:"de... L7: ${o.join(`\r
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/packem_chunks/cli-main.jsView on unpkg · L1
1import{createRequire as FC}from"node:module";import{d as WC,c as Lr,V as IC,h as _C,e as zC,r as KC}from"../packem_shared/index-jJNulo5i.js";import{T as ui,F as Gf,m as L,e as Jl,H... L2: `))}};const Pl=["bash","zsh","fish","powershell"],Nl=["node","bun","deno"],FY=e=>"Deno"in e,QY=e=>"Bun"in e,$p=()=>FY(globalThis)?"deno":QY(globalThis)?"bun":"node",Zp=e=>{const i=... L3: `);e.info(n)},UY={description:"Generate shell completion scripts",env:[{description:"Shell path (Unix-like systems). Used for shell detection.",name:"SHELL",type:String},{descripti... L4: `)),s}else{const r=["Failed to generate completion script",`Error: ${s instanceof Error?s.message:String(s)}`,"","Troubleshooting:"," • Ensure @bomb.sh/tab is installed: pnpm add ... L5: `))}}},name:"completion",options:[{defaultOption:!0,defaultValue:Zp(),description:"Shell type (bash, zsh, fish, powershell). Defaults to current shell if detected.",name:"shell",ty... L6: `);let n=0;for(;i[n]&&i[n].trim().match(/^(#|$)/);)n++;const o=i.length;let a=n+1;for(;a<o&&i[a].trim();)a++;return i.slice(n,a).join(" ").trim()}return jd}var mm={dependancies:"de... L7: ${o.join(`\r ... L262: \x1B[2mtip: ${t}\x1B[0m L263: `),n.lastGlobal
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/packem_chunks/cli-main.jsView on unpkg · L1
dist/packem_shared/env-DdQRnEIy.jsView file
1import{createRequire as et}from"node:module";import{m as ii,a as dt,f as mu}from"./index-CE6MsgcV.js";import{a as rt}from"./readJsonSync-DuMMeB3s-ihoybKvs.js";const nt=et(import.me... L2: `);for(const g of u){const d=g.trim();if(d)try{const h=JSON.parse(d.endsWith("}")?d:`${d}}`),s=`${h.namespace?`${h.namespace}/`:""}${h.name}`,l=`${s}@${h.version}`;if(!a.has(l))con... L3: `)},Dt=()=>{const i=So();if(!mu(i))return 0;const o=ju(i).filter(e=>e.endsWith(".json"));for(const e of o)wu(ii(i,e),{force:!0});return o.length},Tt=()=>{const i=So();if(!mu(i))ret... L4: `),XX=(i,o={})=>{const e=Bt(i,o.minimumScore);if(e)return{clearCache:Dt,displayName:"Socket.dev",fetchReports:n=>Ct(n,e),getCacheStats:Tt,id:"socket"}},Mt=[161,161,164,164,167,168,...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/packem_shared/env-DdQRnEIy.jsView on unpkg · L1
dist/packem_chunks/cache-attestation.jsView file
1import{createRequire as _}from"node:module";import{loadOptionalSigstore as g}from"./loader.js";const R=_(import.meta.url),c=typeof globalThis<"u"&&typeof globalThis.process<"u"?glo...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/packem_chunks/cache-attestation.jsView on unpkg · L1
dist/packem_chunks/publish-guards.jsView file
1package = @visulima/vis; repositoryIdentity = visulima; dependency = @visulima/secret-scanner L1: import{createRequire as v}from"node:module";const _=v(import.meta.url),d=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,g=t=>{if(typeof d<"u"&&d.ve...
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/packem_chunks/publish-guards.jsView on unpkg · L1

Findings

8 High6 Medium5 Low
HighChild Processbin/vis.mjs
HighShelldist/packem_chunks/handler77.js
HighSame File Env Network Executiondist/packem_shared/env-DdQRnEIy.js
HighCommand Output Exfiltrationdist/packem_chunks/cli-main.js
HighSandbox Evasion Gated Capabilitydist/packem_chunks/cache-attestation.js
HighCopied Package Dependency Bridgedist/packem_chunks/publish-guards.js
HighCross File Remote Execution Contextdist/packem_chunks/handler77.js
HighObfuscated
MediumDynamic Requirebin/vis.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/packem_chunks/cli-main.js
MediumProtestware
MediumStructural Risk Force Deep Review
LowEvaldist/packem_shared/docker-BYqiD711.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings