registry  /  @vyuhlabs/dxkit  /  2.21.2

@vyuhlabs/dxkit@2.21.2

⚠ Under review

A deterministic stop condition and code-graph context layer for AI coding agents: gives agents a code graph to make changes, then blocks only net-new detector-backed regressions at the stop boundary, with no model in the gate.

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 240 file(s), 2.87 MB of source, external domains: api.first.org, api.osv.dev, api.snyk.io, cli.github.com, github.com, json.schemastore.org, osv.dev, registry.npmjs.org, rustsec.org, snyk.io, www.cisa.gov, www.conventionalcommits.org, www.npmjs.com

Source & flagged code

8 flagged · loading source
CHANGELOG.mdView file
3546patternName = aws_access_key severity = critical line = 3546 matchedText = access k...ters
Critical
Critical Secret

Package contains a critical-looking secret pattern.

CHANGELOG.mdView on unpkg · L3546
3546patternName = aws_access_key severity = critical line = 3546 matchedText = access k...ters
Critical
Secret Pattern

AWS access key ID in CHANGELOG.md

CHANGELOG.mdView on unpkg · L3546
dist/analyzers/health/actions.jsView file
232id: 'health.security.remove-eval', L233: title: `Remove ${m.evalCount} eval() call${m.evalCount === 1 ? '' : 's'}`, L234: rationale: 'eval() enables arbitrary code execution. Replace with explicit parsing.',
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/analyzers/health/actions.jsView on unpkg · L232
dist/constants.jsView file
38exports.buildConditions = buildConditions; L39: const fs = __importStar(require("fs")); L40: const path = __importStar(require("path"));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/constants.jsView on unpkg · L38
templates/.devcontainer/post-create.shView file
path = templates/.devcontainer/post-create.sh kind = payload_in_excluded_dir sizeBytes = 4491 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

templates/.devcontainer/post-create.shView on unpkg
path = templates/.devcontainer/post-create.sh kind = build_helper sizeBytes = 4491 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/.devcontainer/post-create.shView on unpkg
dist/loop/stop-gate.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @vyuhlabs/dxkit@2.19.0 matchedIdentity = npm:QHZ5dWhsYWJzL2R4a2l0:2.19.0 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/loop/stop-gate.jsView on unpkg
dist/analyzers/tools/grep-secrets.jsView file
133patternName = generic_password severity = medium line = 133 matchedText = // (`pas...o an
Medium
Secret Pattern

Hardcoded password in dist/analyzers/tools/grep-secrets.js

dist/analyzers/tools/grep-secrets.jsView on unpkg · L133

Findings

3 Critical1 High6 Medium6 Low
CriticalCritical SecretCHANGELOG.md
CriticalPrevious Version Dangerous Deltadist/loop/stop-gate.js
CriticalSecret PatternCHANGELOG.md
HighPayload In Excluded Dirtemplates/.devcontainer/post-create.sh
MediumDynamic Requiredist/constants.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/.devcontainer/post-create.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/analyzers/tools/grep-secrets.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/analyzers/health/actions.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings