registry  /  dart-decimate  /  0.0.8

dart-decimate@0.0.8

Rust-native codebase intelligence for Dart and Flutter module graphs.

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 19.1 KB of source, external domains: 127.0.0.1, github.com, rustup.rs

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node npm/scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node npm/scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/security/tests.rsView file
506patternName = generic_password severity = medium line = 506 matchedText = viewMode...'));
Medium
Secret Pattern

Package contains a possible secret pattern.

src/security/tests.rsView on unpkg · L506
npm/bin/runner.jsView file
1const { spawnSync } = require("node:child_process"); L2: const fs = require("node:fs");
High
Child Process

Package source references child process execution.

npm/bin/runner.jsView on unpkg · L1
npm/scripts/postinstall.jsView file
2L3: const { spawnSync } = require("node:child_process"); L4: const fs = require("node:fs"); L5: const http = require("node:http"); L6: const https = require("node:https"); ... L10: L11: if (process.env.DART_DECIMATE_SKIP_BUILD === "1") { L12: process.exit(0);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

npm/scripts/postinstall.jsView on unpkg · L2
2L3: const { spawnSync } = require("node:child_process"); L4: const fs = require("node:fs"); L5: const http = require("node:http"); L6: const https = require("node:https"); ... L10: L11: if (process.env.DART_DECIMATE_SKIP_BUILD === "1") { L12: process.exit(0); ... L14: L15: const root = path.resolve(__dirname, "../.."); L16: const exeExt = process.platform === "win32" ? ".exe" : ""; L17: const cargo = process.env.CARGO || "cargo";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

npm/scripts/postinstall.jsView on unpkg · L2
2L3: const { spawnSync } = require("node:child_process"); L4: const fs = require("node:fs"); L5: const http = require("node:http"); L6: const https = require("node:https"); ... L10: L11: if (process.env.DART_DECIMATE_SKIP_BUILD === "1") { L12: process.exit(0); ... L14: L15: const root = path.resolve(__dirname, "../.."); L16: const exeExt = process.platform === "win32" ? ".exe" : ""; L17: const cargo = process.env.CARGO || "cargo";
High
Install Named Payload File

Install-named source file stages remote content through filesystem writes and execution.

npm/scripts/postinstall.jsView on unpkg · L2
npm/scripts/test-npx-prebuilt.jsView file
2L3: const { spawn, spawnSync } = require("node:child_process"); L4: const fs = require("node:fs"); ... L9: if (process.platform === "win32") { L10: console.log("skipping npx prebuilt fixture on Windows"); L11: process.exit(0);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

npm/scripts/test-npx-prebuilt.jsView on unpkg · L2

Findings

6 High5 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processnpm/bin/runner.js
HighSame File Env Network Executionnpm/scripts/postinstall.js
HighSandbox Evasion Gated Capabilitynpm/scripts/postinstall.js
HighInstall Named Payload Filenpm/scripts/postinstall.js
HighRuntime Package Installnpm/scripts/test-npx-prebuilt.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patternsrc/security/tests.rs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings