registry  /  @zyno-io/ts-server-foundation  /  26.712.28

@zyno-io/ts-server-foundation@26.712.28

Static Scan Results

scanned 12h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 176 file(s), 8.30 MB of source, external domains: spec.openapis.org
Oversized source lightweight scan
dist/src/http/router.js2.32 MB file, sampled 256 KB
ChildProcess
dist/src/index.js5.69 MB file, sampled 256 KB
HighEntropyStringsMinified
dist/src/reflection/index.js4.54 MB file, sampled 256 KB
HighEntropyStringsMinified
dist/src/reflection/model.js3.97 MB file, sampled 256 KB
Minified
dist/src/reflection/reflection-class.js2.28 MB file, sampled 256 KB
HighEntropyStringsMinified

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/src/auth/jwt.jsView file
339patternName = private_key_rsa severity = critical line = 339 matchedText = return `...--`;
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/src/auth/jwt.jsView on unpkg · L339
339patternName = private_key_rsa severity = critical line = 339 matchedText = return `...--`;
Critical
Secret Pattern

RSA private key in dist/src/auth/jwt.js

dist/src/auth/jwt.jsView on unpkg · L339
dist/src/database/migration/index.jsView file
16tslib_1.__exportStar(require("./maintenance"), exports); L17: const dynamicImport = new Function('specifier', 'return import(specifier)'); L18: function createMigration(fn) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/database/migration/index.jsView on unpkg · L16
dist/src/database/database.jsView file
7exports.logSql = logSql; L8: const node_async_hooks_1 = require("node:async_hooks"); L9: const reflection_1 = require("../reflection");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/database/database.jsView on unpkg · L7
dist/src/index.jsView file
path = dist/src/index.js kind = oversized_source_file sizeBytes = 5971632 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/src/index.jsView on unpkg

Findings

2 Critical2 High5 Medium6 Low
CriticalCritical Secretdist/src/auth/jwt.js
CriticalSecret Patterndist/src/auth/jwt.js
HighInstall Time Lifecycle Scriptspackage.json
HighOversized Source Filedist/src/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/src/database/database.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/src/database/migration/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings