registry  /  @zyno-io/ts-server-foundation  /  26.714.651

@zyno-io/ts-server-foundation@26.714.651

TypeScript server foundation with reflected type metadata

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 185 file(s), 8.16 MB of source, external domains: github.com, spec.openapis.org
Oversized source lightweight scan
dist/src/http/router.js5.89 MB file, sampled 256 KB
ChildProcess
dist/src/index.js4.30 MB file, sampled 256 KB
Minified
dist/src/reflection/index.js2.93 MB file, sampled 256 KB
Minified
dist/src/reflection/model.js2.93 MB file, sampled 256 KB
Minified
dist/src/reflection/reflection-class.js5.86 MB file, sampled 256 KB
Minified

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/src/auth/jwt.jsView file
342patternName = private_key_rsa severity = critical line = 342 matchedText = return `...--`;
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/src/auth/jwt.jsView on unpkg · L342
342patternName = private_key_rsa severity = critical line = 342 matchedText = return `...--`;
Critical
Secret Pattern

RSA private key in dist/src/auth/jwt.js

dist/src/auth/jwt.jsView on unpkg · L342
dist/src/database/migration/index.jsView file
19tslib_1.__exportStar(require("./maintenance"), exports); L20: const dynamicImport = new Function('specifier', 'return import(specifier)'); L21: function createMigration(fn) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/database/migration/index.jsView on unpkg · L19
dist/src/database/database.jsView file
7exports.logSql = logSql; L8: const tslib_1 = require("tslib"); L9: const _a = tslib_1.__importStar(require("@zyno-io/ts-server-foundation/type-metadata-runtime"));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/database/database.jsView on unpkg · L7
dist/src/index.jsView file
path = dist/src/index.js kind = oversized_source_file sizeBytes = 4506171 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/src/index.jsView on unpkg
dist/src/cli/tsf-install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @zyno-io/ts-server-foundation@26.714.5 matchedIdentity = npm:[redacted]:26.714.5 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/cli/tsf-install.jsView on unpkg

Findings

2 Critical3 High5 Medium6 Low
CriticalCritical Secretdist/src/auth/jwt.js
CriticalSecret Patterndist/src/auth/jwt.js
HighInstall Time Lifecycle Scriptspackage.json
HighOversized Source Filedist/src/index.js
HighPrevious Version Dangerous Deltadist/src/cli/tsf-install.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/src/database/database.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/src/database/migration/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings