Static Scan Results
scanned 13h ago · by rust-scannerStatic analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/actions.jsView file
632const bust = dev ? `?t=${Date.now()}-${Math.random().toString(36).slice(2)}` : '';
L633: return import(url + bust);
L634: }
Medium
Dynamic Require
Package source references dynamic require/import behavior.
src/actions.jsView on unpkg · L632src/ssr.jsView file
2package = @webjsdev/server; repositoryIdentity = webjs; dependency = @webjsdev/core
L2: import { resolve } from 'node:path';
L3: import { renderToString, isNotFound, isRedirect, isForbidden, isUnauthorized, lookupModuleUrl, isLazy, cspNonce } from '@webjsdev/core';
L4: import { importMapTag, vendorIntegrityFor, publishedBuildId, basePath, vendorPreconnectOrigins, vendorPreloadTargets } from './importmap.js';
High
Copied Package Dependency Bridge
Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
src/ssr.jsView on unpkg · L2Findings
1 High4 Medium3 Low
HighCopied Package Dependency Bridgesrc/ssr.js
MediumDynamic Requiresrc/actions.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings