registry  /  @zyno-io/ts-server-foundation  /  26.712.725

@zyno-io/ts-server-foundation@26.712.725

TypeScript server foundation with reflected type metadata

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 183 file(s), 7.82 MB of source, external domains: spec.openapis.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/src/auth/jwt.jsView file
339patternName = private_key_rsa severity = critical line = 339 matchedText = return `...--`;
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/src/auth/jwt.jsView on unpkg · L339
339patternName = private_key_rsa severity = critical line = 339 matchedText = return `...--`;
Critical
Secret Pattern

RSA private key in dist/src/auth/jwt.js

dist/src/auth/jwt.jsView on unpkg · L339
dist/src/database/migration/index.jsView file
16tslib_1.__exportStar(require("./maintenance"), exports); L17: const dynamicImport = new Function('specifier', 'return import(specifier)'); L18: function createMigration(fn) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/database/migration/index.jsView on unpkg · L16
dist/src/database/database.jsView file
7exports.logSql = logSql; L8: const node_async_hooks_1 = require("node:async_hooks"); L9: const reflection_1 = require("../reflection");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/database/database.jsView on unpkg · L7
dist/src/cli/tsf-install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @zyno-io/ts-server-foundation@26.712.36 matchedIdentity = npm:[redacted]:26.712.36 similarity = 0.883 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/cli/tsf-install.jsView on unpkg

Findings

2 Critical2 High5 Medium6 Low
CriticalCritical Secretdist/src/auth/jwt.js
CriticalSecret Patterndist/src/auth/jwt.js
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltadist/src/cli/tsf-install.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/src/database/database.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/src/database/migration/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings