registry  /  @webjsdev/server  /  0.8.48

@webjsdev/server@0.8.48

webjs dev/prod server: SSR, router, API, server actions, live reload

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 67 file(s), 1008 KB of source, external domains: accounts.google.com, api.github.com, api.jspm.io, docs.webjs.dev, evil.example, github.com, internal.invalid, nodejs.org, oauth2.googleapis.com, registry.npmjs.org, webjs.test, www.googleapis.com, www.sitemaps.org, x.invalid

Source & flagged code

3 flagged · loading source
src/actions.jsView file
632const bust = dev ? `?t=${Date.now()}-${Math.random().toString(36).slice(2)}` : ''; L633: return import(url + bust); L634: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/actions.jsView on unpkg · L632
src/ssr.jsView file
2package = @webjsdev/server; repositoryIdentity = webjs; dependency = @webjsdev/core L2: import { resolve } from 'node:path'; L3: import { renderToString, isNotFound, isRedirect, isForbidden, isUnauthorized, lookupModuleUrl, isLazy, cspNonce } from '@webjsdev/core'; L4: import { importMapTag, vendorIntegrityFor, publishedBuildId, appSourceId, basePath, vendorPreconnectOrigins, vendorPreloadTargets } from './importmap.js';
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

src/ssr.jsView on unpkg · L2
src/dev.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @webjsdev/server@0.8.47 matchedIdentity = npm:QHdlYmpzZGV2L3NlcnZlcg:0.8.47 similarity = 0.894 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/dev.jsView on unpkg

Findings

2 High4 Medium3 Low
HighCopied Package Dependency Bridgesrc/ssr.js
HighPrevious Version Dangerous Deltasrc/dev.js
MediumDynamic Requiresrc/actions.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings