registry  /  catalyst-cli  /  0.1.0

catalyst-cli@0.1.0

Version obsolète présentant une faille de fonctionnement jugée critique par l'équipe Catalyst. Merci de mettre à jour immédiatement vers la version 0.3.6 ou supérieure.

Build your project on Catalyst from the command line and pull the artifact (web/APK/IPA) back.

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked CI/build CLI that uploads a selected directory, triggers builds, polls status, and downloads an artifact.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs catalyst upload/build/pull/run with API and token configuration.
Impact
User-selected project files may be uploaded to the configured Catalyst API and build artifacts may be written to the requested output path.
Mechanism
Authenticated project upload/build/download CLI workflow
Rationale
Static inspection shows package-aligned network and filesystem behavior activated only by CLI commands, with no lifecycle execution or hidden exfiltration primitives. Scanner warnings are explained by the documented Catalyst API client behavior and PAT-based authentication.
Evidence
package.jsonbin/catalyst.jssrc/index.jsREADME.mduser-supplied upload directoryuser-supplied --out path or artifact filename
Network endpoints3
www.dev.bcat.website/catalyst/apiwww.bcat.website/catalyst/apicaller-provided CATALYST_API or --api

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts; only bin maps catalyst to bin/catalyst.js.
    • bin/catalyst.js only invokes exported main on user CLI execution.
    • src/index.js reads only CATALYST_API/CATALYST_TOKEN or flags for explicit auth configuration.
    • src/index.js zips a user-supplied directory for upload and skips common dependency/build/cache dirs.
    • Network calls are tied to documented upload/build/pull commands and caller-provided API base.
    • No child_process, eval/vm/Function, dynamic loading, persistence, credential harvesting, or install-time execution found.
    Behavioral surface
    Source
    EnvironmentVarsFilesystemNetwork
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 10.1 KB of source, external domains: www.dev.bcat.website

    Source & flagged code

    1 flagged · loading source
    src/index.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = catalyst-cli@0.2.1 matchedIdentity = npm:Y2F0YWx5c3QtY2xp:0.2.1 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    src/index.jsView on unpkg

    Findings

    1 Critical2 Medium2 Low
    CriticalPrevious Version Dangerous Deltasrc/index.js
    MediumNetwork
    MediumEnvironment Vars
    LowFilesystem
    LowUrl Strings