registry  /  cabloy  /  5.1.97

cabloy@5.1.97

⚠ Under review

A Node.js fullstack framework

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2,251 file(s), 8.11 MB of source, external domains: api.anthropic.com, api.cloudflare.com, example.com, fonts.gstatic.com, github.com, imagedelivery.net, petstore.swagger.io, registry.npmjs.org, www.w3.org, zova.js.org

Source & flagged code

10 flagged · loading source
vona/env/.envView file
9patternName = blocked_file severity = critical matchedText = vona/env/.env redactedSecretContext = secretLikeLines = 7 L9: SERVER_KEYS=<redacted:24 token-like> L45: BUILD_DIALECT_DRIVERS=<redacted:24 token-like> L52: TEST_PATTERNS_IGNORE=<redacted:153 token-like> L56: DATABASE_DEFAULT_CLIENT=<redacted:27 token-like> L63: DATABASE_CLIENT_PG_PASSWORD=<redacted:0 empty> L69: DATABASE_CLIENT_MYSQL_PASSWORD=<redacted:0 empty> L76: REDIS_DEFAULT_PASSWORD=<redacted:0 empty>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

vona/env/.envView on unpkg · L9
vona/packages-utils/utils/src/celjs/utils.tsView file
20fn = L21: scopeKeys && scopeKeys.length > 0 ? new Function(scopeKeys.join(','), js) : new Function(js); L22: } catch (_err) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

vona/packages-utils/utils/src/celjs/utils.tsView on unpkg · L20
vona/packages-cli/cabloy-cli/src/utils.tsView file
22// version old L23: const require = createRequire(import.meta.url); L24: const pkg = require(`${packageName}/package.json`);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

vona/packages-cli/cabloy-cli/src/utils.tsView on unpkg · L22
vona/src/suite-vendor/a-image/modules/image-native/src/service/imageNative.tsView file
28export class ServiceImageNative extends BeanBase { L29: private _sharpInstance: SharpConstructor; L30:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

vona/src/suite-vendor/a-image/modules/image-native/src/service/imageNative.tsView on unpkg · L28
vona/src/suite-vendor/a-vona/modules/a-orm/src/main.tsView file
4contains invisible/control Unicode U+200C (zero width non-joiner) import { [redacted], ServiceTransactionConsistency<U+200C> } from 'vona-module-a-orm';
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

vona/src/suite-vendor/a-vona/modules/a-orm/src/main.tsView on unpkg · L4
vona/scripts/app-init.shView file
path = vona/scripts/app-init.sh kind = build_helper sizeBytes = 128 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

vona/scripts/app-init.shView on unpkg
vona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui.jsView file
1patternName = generic_password severity = medium line = 1 matchedText = !functio...)));
Medium
Secret Pattern

Hardcoded password in vona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui.js

vona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui.jsView on unpkg · L1
vona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui-es-bundle-core.jsView file
2patternName = generic_password severity = medium line = 2 matchedText = import*a...lt};
Medium
Secret Pattern

Hardcoded password in vona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui-es-bundle-core.js

vona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui-es-bundle-core.jsView on unpkg · L2
vona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui-bundle.jsView file
2patternName = generic_password severity = medium line = 2 matchedText = !functio...)));
Medium
Secret Pattern

Hardcoded password in vona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui-bundle.js

vona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui-bundle.jsView on unpkg · L2
vona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui-es-bundle.jsView file
2patternName = generic_password severity = medium line = 2 matchedText = (()=>{va...)();
Medium
Secret Pattern

Hardcoded password in vona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui-es-bundle.js

vona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui-es-bundle.jsView on unpkg · L2

Findings

2 Critical9 Medium8 Low
CriticalCritical Secretvona/env/.env
CriticalTrojan Source Unicodevona/src/suite-vendor/a-vona/modules/a-orm/src/main.ts
MediumDynamic Requirevona/packages-cli/cabloy-cli/src/utils.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpervona/scripts/app-init.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternvona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui.js
MediumSecret Patternvona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui-es-bundle-core.js
MediumSecret Patternvona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui-bundle.js
MediumSecret Patternvona/src/suite-vendor/a-vona/modules/a-swagger/assets/static/swagger-ui-5.18.2/swagger-ui-es-bundle.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalvona/packages-utils/utils/src/celjs/utils.ts
LowWeak Cryptovona/src/suite-vendor/a-image/modules/image-native/src/service/imageNative.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings