registry  /  @webjsdev/server  /  0.8.43

@webjsdev/server@0.8.43

webjs dev/prod server: SSR, router, API, server actions, live reload

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 64 file(s), 968 KB of source, external domains: accounts.google.com, api.github.com, api.jspm.io, docs.webjs.dev, evil.example, github.com, internal.invalid, nodejs.org, oauth2.googleapis.com, registry.npmjs.org, webjs.test, www.googleapis.com, www.sitemaps.org, x.invalid

Source & flagged code

2 flagged · loading source
src/actions.jsView file
632const bust = dev ? `?t=${Date.now()}-${Math.random().toString(36).slice(2)}` : ''; L633: return import(url + bust); L634: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/actions.jsView on unpkg · L632
src/ssr.jsView file
2package = @webjsdev/server; repositoryIdentity = webjs; dependency = @webjsdev/core L2: import { resolve } from 'node:path'; L3: import { renderToString, isNotFound, isRedirect, lookupModuleUrl, isLazy, cspNonce } from '@webjsdev/core'; L4: import { importMapTag, vendorIntegrityFor, publishedBuildId, basePath, vendorPreconnectOrigins, vendorPreloadTargets } from './importmap.js';
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

src/ssr.jsView on unpkg · L2

Findings

1 High4 Medium3 Low
HighCopied Package Dependency Bridgesrc/ssr.js
MediumDynamic Requiresrc/actions.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings