registry  /  data-primals-engine  /  1.7.2

data-primals-engine@1.7.2

data-primals-engine is a package responsible from handling large amount of data using MongoDB in a practical and performant way. It can also get workflow models working (for automation), and fully supports internationalisation. It also has integrated AI a

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 158 file(s), 4.51 MB of source, external domains: api.stripe.com, github.com, login.microsoftonline.com, unpkg.com, votre-site.com, web.primals.net, www.mongodb.com, www.myapp.com, www.openstreetmap.org, www.w3.org, your-domain.com, yourdomain.tld

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
scripts.preinstall = npx force-resolutions
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = npx force-resolutions
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
client/src/translations.jsView file
1923patternName = generic_password severity = medium line = 1923 matchedText = field_us...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

client/src/translations.jsView on unpkg · L1923
3404patternName = generic_password severity = medium line = 3404 matchedText = field_us...ña',
Medium
Secret Pattern

Hardcoded password in client/src/translations.js

client/src/translations.jsView on unpkg · L3404
4880patternName = generic_password severity = medium line = 4880 matchedText = field_us...se',
Medium
Secret Pattern

Hardcoded password in client/src/translations.js

client/src/translations.jsView on unpkg · L4880
6341patternName = generic_password severity = medium line = 6341 matchedText = field_us...rt',
Medium
Secret Pattern

Hardcoded password in client/src/translations.js

client/src/translations.jsView on unpkg · L6341
7815patternName = generic_password severity = medium line = 7815 matchedText = field_us...rd',
Medium
Secret Pattern

Hardcoded password in client/src/translations.js

client/src/translations.jsView on unpkg · L7815
12253patternName = generic_password severity = medium line = 12253 matchedText = field_us...ور',
Medium
Secret Pattern

Hardcoded password in client/src/translations.js

client/src/translations.jsView on unpkg · L12253
13721patternName = generic_password severity = medium line = 13721 matchedText = field_us...rd',
Medium
Secret Pattern

Hardcoded password in client/src/translations.js

client/src/translations.jsView on unpkg · L13721
15178patternName = generic_password severity = medium line = 15178 matchedText = field_us...ης',
Medium
Secret Pattern

Hardcoded password in client/src/translations.js

client/src/translations.jsView on unpkg · L15178
src/modules/worker-script-runner.jsView file
56// Les variables `db`, `logger`, `context`, etc., sont disponibles dans son scope. L57: const userFunction = new Function('db', 'workflow', 'logger', 'env', 'http', 'context', `return (async () => { ${code} })();`); L58:
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/modules/worker-script-runner.jsView on unpkg · L56
src/migrate.jsView file
125// FIX: Convert the absolute path to a file URL for dynamic import L126: const migration = await import(pathToFileURL(migrationPath).href); L127: await migration.up(db);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/migrate.jsView on unpkg · L125
src/i18n.jsView file
465patternName = generic_password severity = medium line = 465 matchedText = field_us...se',
Medium
Secret Pattern

Hardcoded password in src/i18n.js

src/i18n.jsView on unpkg · L465

Findings

1 Critical1 High14 Medium5 Low
CriticalManifest Confusionpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patternclient/src/translations.js
MediumDynamic Requiresrc/migrate.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternclient/src/translations.js
MediumSecret Patternclient/src/translations.js
MediumSecret Patternclient/src/translations.js
MediumSecret Patternclient/src/translations.js
MediumSecret Patternclient/src/translations.js
MediumSecret Patternclient/src/translations.js
MediumSecret Patternclient/src/translations.js
MediumSecret Patternsrc/i18n.js
LowScripts Present
LowEvalsrc/modules/worker-script-runner.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings