registry  /  chaincss  /  2.12.0

chaincss@2.12.0

ChainCSS - The first CSS-in-JS library with true auto-detection mixed mode. Zero runtime by default, dynamic when you need it.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 3.20 MB of source, external domains: github.com, raw.githubusercontent.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/cli/index.jsView file
8477import fs11 from "fs"; L8478: import { spawn } from "child_process"; L8479: import { createServer } from "http";
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L8477
8587logger.info("\u{1F3A8} Starting CSS compiler..."); L8588: const cssWatcher = spawn("npx", ["chaincss", "build", "--watch", ...options.config ? ["--config", options.config] : []], { stdio: ["inherit", "pipe", "pipe"], shell: true, env: { .... L8589: const cssReady = new Promise((resolve) => {
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L8587
8587logger.info("\u{1F3A8} Starting CSS compiler..."); L8588: const cssWatcher = spawn("npx", ["chaincss", "build", "--watch", ...options.config ? ["--config", options.config] : []], { stdio: ["inherit", "pipe", "pipe"], shell: true, env: { .... L8589: const cssReady = new Promise((resolve) => {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L8587
dist/plugins/webpack.jsView file
3050function __import__(name) { L3051: return new Function("name", "return import(name)")(name); L3052: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugins/webpack.jsView on unpkg · L3050
3050function __import__(name) { L3051: return new Function("name", "return import(name)")(name); L3052: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/plugins/webpack.jsView on unpkg · L3050
879const op = typeof v === "number" ? v : 0.05; L880: c.backgroundImage = `url("data:image/svg+xml,%3Csvg viewBox='0 0 200 200' xmlns='http://www.w3.org/2000/svg'%3E%3Cfilter id='n'%3E%3CfeTurbulence type='fractalNoise' baseFrequency=... L881: }, ... L1183: function recordHistory(decl, pass, action, previous, reason) { L1184: if (process.env.NODE_ENV === "production") return; L1185: decl.history.push({ ... L1481: let minInRow = cur[0]; L1482: const ca = a.charCodeAt(i - 1); L1483: for (let j = 1; j <= bl; j++) { ... L3050: function __import__(name) { L3051: return new Function("name", "return import(name)")(name); L3052: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/plugins/webpack.jsView on unpkg · L879

Findings

3 High4 Medium7 Low
HighChild Processdist/cli/index.js
HighShelldist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumDynamic Requiredist/plugins/webpack.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/plugins/webpack.js
LowWeak Cryptodist/plugins/webpack.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings