registry  /  @webjsdev/cli  /  0.10.37

@webjsdev/cli@0.10.37

⚠ Under review

webjs CLI - dev, start, create, db

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 98 file(s), 640 KB of source, external domains: app.example.com, bugs.chromium.org, bugs.webkit.org, bugzilla.mozilla.org, docs.webjs.dev, github.com, nodejs.org, tailwindcss.com, ui.webjs.dev, webjs.dev, www.w3.org

Source & flagged code

10 flagged · loading source
lib/saas-template.jsView file
281patternName = generic_password severity = medium line = 281 matchedText = " const...';",
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/saas-template.jsView on unpkg · L281
400patternName = generic_password severity = medium line = 400 matchedText = " if (p...';",
Medium
Secret Pattern

Hardcoded password in lib/saas-template.js

lib/saas-template.jsView on unpkg · L400
bin/webjs.jsView file
2import { resolve, join, dirname } from 'node:path'; L3: import { spawn } from 'node:child_process'; L4: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

bin/webjs.jsView on unpkg · L2
2Cross-file remote execution chain: bin/webjs.js spawns lib/create.js; helper contains network access plus dynamic code execution. L2: import { resolve, join, dirname } from 'node:path'; L3: import { spawn } from 'node:child_process'; L4: import { fileURLToPath } from 'node:url'; ... L9: L10: const __dirname = dirname(fileURLToPath(import.meta.url)); L11: const [cmd, ...rest] = process.argv.slice(2); ... L25: const { readFileSync } = await import('node:fs'); L26: const pkg = JSON.parse( L27: readFileSync(join(__dirname, '..', 'package.json'), 'utf8'), L28: ); ... L130: // start the server directly. L131: if (process.env.__WEBJS_DEV_CHILD === '1') {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/webjs.jsView on unpkg · L2
238'webjs db: drizzle-kit is not installed in this project.\n' + L239: 'Install it with `npm install -D drizzle-kit`, then re-run `webjs db ' + sub + '`.', L240: ); ... L242: } L243: const child = spawn(process.execPath, [dkPath, ...kitArgs, ...args], { stdio: 'inherit', cwd: process.cwd() }); L244: child.on('exit', (code) => process.exit(code ?? 0));
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/webjs.jsView on unpkg · L238
lib/run-tasks.jsView file
45const code = await new Promise((res) => { L46: const c = spawn(step, { shell: true, stdio: 'inherit', cwd, env }); L47: c.on('exit', (code) => res(code ?? 0));
High
Shell

Package source references shell execution.

lib/run-tasks.jsView on unpkg · L45
lib/doctor.jsView file
275package = @webjsdev/cli; repositoryIdentity = webjs; dependency = @webjsdev/server L275: try { L276: const mod = await import('@webjsdev/server'); L277: vendor = { hasVendorPin: mod.hasVendorPin, findOutdated: mod.findOutdated };
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

lib/doctor.jsView on unpkg · L275
templates/.cursor/hooks/nudge-uncommitted.shView file
path = templates/.cursor/hooks/nudge-uncommitted.sh kind = payload_in_excluded_dir sizeBytes = 1432 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

templates/.cursor/hooks/nudge-uncommitted.shView on unpkg
path = templates/.cursor/hooks/nudge-uncommitted.sh kind = build_helper sizeBytes = 1432 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/.cursor/hooks/nudge-uncommitted.shView on unpkg
lib/create.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @webjsdev/cli@0.10.32 matchedIdentity = npm:QHdlYmpzZGV2L2NsaQ:0.10.32 similarity = 0.806 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/create.jsView on unpkg

Findings

1 Critical6 High6 Medium3 Low
CriticalPrevious Version Dangerous Deltalib/create.js
HighChild Processbin/webjs.js
HighShelllib/run-tasks.js
HighCopied Package Dependency Bridgelib/doctor.js
HighCross File Remote Execution Contextbin/webjs.js
HighRuntime Package Installbin/webjs.js
HighPayload In Excluded Dirtemplates/.cursor/hooks/nudge-uncommitted.sh
MediumSecret Patternlib/saas-template.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/.cursor/hooks/nudge-uncommitted.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternlib/saas-template.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings