registry  /  @zintrust/core  /  2.9.0

@zintrust/core@2.9.0

⚠ Under review

Production-grade TypeScript backend framework for JavaScript

Static Scan Results

scanned 12d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 604 file(s), 2.96 MB of source, external domains: 127.0.0.1, api.cloudflare.com, api.mailgun.net, api.pusherapp.com, api.sendgrid.com, api.termii.com, api.twilio.com, assets.local, cdn.tailwindcss.com, fonts.googleapis.com, fonts.gstatic.com, registry.npmjs.org, storage.googleapis.com, unpkg.com

Source & flagged code

5 flagged · loading source
src/config/middleware.jsView file
21patternName = generic_password severity = medium line = 21 matchedText = password...ONAR
Medium
Secret Pattern

Package contains a possible secret pattern.

src/config/middleware.jsView on unpkg · L21
src/migrations/MigrationLoader.jsView file
22const url = pathToFileURL(filePath).href; L23: const raw = (await import(url)); L24: // Some tooling/transpilation paths wrap exports under `default`.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/migrations/MigrationLoader.jsView on unpkg · L22
src/scripts/TemplateSync.jsView file
12import path from '../node-singletons/path.js'; L13: const __dirname = esmDirname(import.meta.url); L14: const ROOT_DIR = path.resolve(__dirname, '../../'); ... L336: const content = fs.readFileSync(checksumPath, 'utf8'); L337: return JSON.parse(content); L338: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/scripts/TemplateSync.jsView on unpkg · L12
src/tools/redis/RedisTransport.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @zintrust/core@2.8.7 matchedIdentity = npm:QHppbnRydXN0L2NvcmU:2.8.7 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/tools/redis/RedisTransport.jsView on unpkg
src/config/middleware.d.tsView file
27patternName = generic_password severity = medium line = 27 matchedText = readonly...rd";
Medium
Secret Pattern

Hardcoded password in src/config/middleware.d.ts

src/config/middleware.d.tsView on unpkg · L27

Findings

1 Critical5 Medium4 Low
CriticalPrevious Version Dangerous Deltasrc/tools/redis/RedisTransport.js
MediumSecret Patternsrc/config/middleware.js
MediumDynamic Requiresrc/migrations/MigrationLoader.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patternsrc/config/middleware.d.ts
LowWeak Cryptosrc/scripts/TemplateSync.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings