registry  /  bosia  /  0.8.6

bosia@0.8.6

A fast, batteries-included fullstack framework — SSR · Svelte 5 Runes · Bun · ElysiaJS. File-based routing No Node.js, no Vite, no adapters.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 93 file(s), 445 KB of source, external domains: fonts.googleapis.com, github.com, raw.githubusercontent.com

Source & flagged code

3 flagged · loading source
src/core/dev.tsView file
126console.log("🏗️ Building..."); L127: const proc = spawn(["bun", "run", BUILD_SCRIPT], { L128: stdout: "inherit",
High
Child Process

Package source references child process execution.

src/core/dev.tsView on unpkg · L126
src/core/plugin.tsView file
13name: "bosia-resolver", L14: setup(build: import("bun").PluginBuilder) { L15: // bosia:routes → .bosia/routes.client.ts (browser) or .bosia/routes.ts (server)
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/core/plugin.tsView on unpkg · L13
src/cli/registry.tsView file
184L185: /** Run `bun add` for deps and optionally `bun add --dev` for devDeps. */ L186: export async function bunAdd( ... L193: console.log(`\n📥 npm: ${packages.join(", ")}`); L194: const proc = spawn(["bun", "add", ...packages], { L195: stdout: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/cli/registry.tsView on unpkg · L184

Findings

3 High5 Medium4 Low
HighChild Processsrc/core/dev.ts
HighShell
HighRuntime Package Installsrc/cli/registry.ts
MediumDynamic Requiresrc/core/plugin.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings