registry  /  catalyst-cli  /  0.2.4

catalyst-cli@0.2.4

Version obsolète présentant une faille de fonctionnement jugée critique par l'équipe Catalyst. Merci de mettre à jour immédiatement vers la version 0.3.6 ou supérieure.

Build your project on Catalyst from the command line and pull the artifact (web/APK/IPA) back.

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked CLI that logs into Catalyst, zips user-selected projects, uploads them for builds, polls results, and downloads artifacts.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs catalyst commands such as login, upload, check --deep, run, pull, or logout
Impact
Expected upload of user-selected project files and local storage of Catalyst token; no unconsented install-time or import-time behavior found.
Mechanism
Package-aligned CLI network client and project zipper
Rationale
Static inspection found potentially sensitive primitives, but they are aligned with documented CLI functions and require explicit user commands. There is no lifecycle execution, credential harvesting beyond Catalyst login storage, hidden exfiltration, destructive behavior, or agent-control mutation.
Evidence
package.jsonbin/catalyst.jssrc/index.jsREADME.md~/.catalyst/config.jsonuser-selected project directoryuser-selected pull output path
Network endpoints4
dev.bcat.website/catalyst/apiwww.bcat.website127.0.0.1/callbackartifact.download_url from Catalyst API response

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts; only bin is bin/catalyst.js
    • bin/catalyst.js only imports src/index.js and calls main on CLI invocation
    • src/index.js network calls are Catalyst API/login/build/upload/pull flows exposed by CLI commands
    • src/index.js stores only user-provided Catalyst session config under ~/.catalyst/config.json with chmod 0600
    • src/index.js child_process usage is limited to opening a browser and user-invoked npm dry-run check with --ignore-scripts
    • No eval/vm/dynamic native loading, persistence, destructive actions, or AI-agent control-surface writes found
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 28.1 KB of source, external domains: 127.0.0.1, dev.bcat.website, www.bcat.website

    Source & flagged code

    1 flagged · loading source
    src/index.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = catalyst-cli@0.2.1 matchedIdentity = npm:Y2F0YWx5c3QtY2xp:0.2.1 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    src/index.jsView on unpkg

    Findings

    1 Critical2 Medium3 Low
    CriticalPrevious Version Dangerous Deltasrc/index.js
    MediumNetwork
    MediumEnvironment Vars
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings