registry  /  @vizejs/vite-plugin-musea  /  0.269.0

@vizejs/vite-plugin-musea@0.269.0

⚠ Under review

Vite plugin for Musea - Component gallery for Vue components

Static Scan Results

scanned 11d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 104 file(s), 3.91 MB of source, external domains: bugzilla.mozilla.org, code.google.com, developer.mozilla.org, developers.google.com, drafts.csswg.org, en.wikipedia.org, github.com, googlechrome.github.io, hacks.mozilla.org, help.yahoo.com, html.spec.whatwg.org, r12a.github.io, sass-lang.com, schema.org, stackoverflow.com, support.google.com, tools.ietf.org, wiki.whatwg.org, www.bing.com, www.dmoz.org, www.iana.org, www.ietf.org, www.w3.org, www.whatwg.org
Oversized source lightweight scan
dist/gallery/assets/editor.api2-CJZ9tF6K.js3.46 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsMinified
dist/gallery/assets/ts.worker-METxwbDZ.js6.57 MB file, sampled 256 KB
FilesystemNetworkChildProcess

Source & flagged code

3 flagged · loading source
dist/autogen-B7_TO0n5.mjsView file
210package = @vizejs/vite-plugin-musea; repositoryIdentity = vize; dependency = @vizejs/native L210: try { L211: native = require("@vizejs/native"); L212: return native;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/autogen-B7_TO0n5.mjsView on unpkg · L210
dist/gallery/assets/html.worker-CQP8QQsS.jsView file
29contains invisible/control Unicode U+2060 (word joiner) `,"nexist;":`∄`,"nexists;":`∄`,"Nfr;":`𝔑`,"nfr;":`𝔫`,"ngE;":`≧̸`,"nge;":`≱`,"ngeq;":`≱`,"ngeqq;":`≧̸`,"ngeqslant;":`⩾̸`,"nges;":`⩾̸`,"nGg;":`⋙̸`,"ngsim;":`≵`,"nGt;":`≫⃒`,"ngt;":`≯`,"ngtr;":`≯`,"nGtv;":`≫̸`,"nhArr;":`⇎`,"nharr;":`↮`,"nhpar;"
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/gallery/assets/html.worker-CQP8QQsS.jsView on unpkg · L29
dist/gallery/assets/ts.worker-METxwbDZ.jsView file
path = dist/gallery/assets/ts.worker-METxwbDZ.js kind = oversized_source_file sizeBytes = 6894230 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/gallery/assets/ts.worker-METxwbDZ.jsView on unpkg

Findings

1 Critical2 High4 Medium5 Low
CriticalTrojan Source Unicodedist/gallery/assets/html.worker-CQP8QQsS.js
HighCopied Package Dependency Bridgedist/autogen-B7_TO0n5.mjs
HighOversized Source Filedist/gallery/assets/ts.worker-METxwbDZ.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings