registry  /  chaincss  /  2.10.8

chaincss@2.10.8

⚠ Under review

ChainCSS - The first CSS-in-JS library with true auto-detection mixed mode. Zero runtime by default, dynamic when you need it.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 131 file(s), 3.04 MB of source, external domains: chaincss.dev, github.com, www.w3.org

Source & flagged code

7 flagged · loading source
dist/cli/index.jsView file
7300import fs9 from "fs"; L7301: import { spawn } from "child_process"; L7302: import { createServer } from "http";
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L7300
7410logger.info("\u{1F3A8} Starting CSS compiler..."); L7411: const cssWatcher = spawn("npx", ["chaincss", "build", "--watch", ...options.config ? ["--config", options.config] : []], { stdio: ["inherit", "pipe", "pipe"], shell: true, env: { .... L7412: const cssReady = new Promise((resolve) => {
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L7410
7410logger.info("\u{1F3A8} Starting CSS compiler..."); L7411: const cssWatcher = spawn("npx", ["chaincss", "build", "--watch", ...options.config ? ["--config", options.config] : []], { stdio: ["inherit", "pipe", "pipe"], shell: true, env: { .... L7412: const cssReady = new Promise((resolve) => {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L7410
dist/plugins/webpack.jsView file
463function __import__(name) { L464: return new Function("name", "return import(name)")(name); L465: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugins/webpack.jsView on unpkg · L463
463function __import__(name) { L464: return new Function("name", "return import(name)")(name); L465: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/plugins/webpack.jsView on unpkg · L463
132threshold: 2, L133: naming: process.env.NODE_ENV === "production" ? "hash" : "readable", L134: cache: true, ... L463: function __import__(name) { L464: return new Function("name", "return import(name)")(name); L465: } ... L2513: if (!macro2) return null; L2514: const merged = JSON.parse(JSON.stringify(macro2)); L2515: if (!overrides) return merged; ... L4926: type: "responsive-issues", L4927: data: { issues, count: issues.length }, L4928: confidence: issues.some((i) => i.severity === "error") ? 1 : 0.7
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/plugins/webpack.jsView on unpkg · L132
src/cli/commands/dev.tsView file
matchType = previous_version_dangerous_delta matchedPackage = chaincss@2.10.4 matchedIdentity = npm:Y2hhaW5jc3M:2.10.4 similarity = 0.883 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/cli/commands/dev.tsView on unpkg

Findings

1 Critical3 High4 Medium7 Low
CriticalPrevious Version Dangerous Deltasrc/cli/commands/dev.ts
HighChild Processdist/cli/index.js
HighShelldist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumDynamic Requiredist/plugins/webpack.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/plugins/webpack.js
LowWeak Cryptodist/plugins/webpack.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings