registry  /  chaincss  /  2.11.1

chaincss@2.11.1

ChainCSS - The first CSS-in-JS library with true auto-detection mixed mode. Zero runtime by default, dynamic when you need it.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 2.27 MB of source, external domains: github.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/cli/index.jsView file
7684import fs10 from "fs"; L7685: import { spawn } from "child_process"; L7686: import { createServer } from "http";
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L7684
7794logger.info("\u{1F3A8} Starting CSS compiler..."); L7795: const cssWatcher = spawn("npx", ["chaincss", "build", "--watch", ...options.config ? ["--config", options.config] : []], { stdio: ["inherit", "pipe", "pipe"], shell: true, env: { .... L7796: const cssReady = new Promise((resolve) => {
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L7794
7794logger.info("\u{1F3A8} Starting CSS compiler..."); L7795: const cssWatcher = spawn("npx", ["chaincss", "build", "--watch", ...options.config ? ["--config", options.config] : []], { stdio: ["inherit", "pipe", "pipe"], shell: true, env: { .... L7796: const cssReady = new Promise((resolve) => {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L7794
dist/plugins/webpack.jsView file
534function __import__(name) { L535: return new Function("name", "return import(name)")(name); L536: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugins/webpack.jsView on unpkg · L534
534function __import__(name) { L535: return new Function("name", "return import(name)")(name); L536: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/plugins/webpack.jsView on unpkg · L534
132threshold: 2, L133: naming: process.env.NODE_ENV === "production" ? "hash" : "readable", L134: cache: true, ... L534: function __import__(name) { L535: return new Function("name", "return import(name)")(name); L536: } ... L2591: if (!macro2) return null; L2592: const merged = JSON.parse(JSON.stringify(macro2)); L2593: if (!overrides) return merged; ... L5127: type: "responsive-issues", L5128: data: { issues, count: issues.length }, L5129: confidence: issues.some((i) => i.severity === "error") ? 1 : 0.7
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/plugins/webpack.jsView on unpkg · L132

Findings

3 High4 Medium7 Low
HighChild Processdist/cli/index.js
HighShelldist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumDynamic Requiredist/plugins/webpack.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/plugins/webpack.js
LowWeak Cryptodist/plugins/webpack.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings