registry  /  decocms  /  3.84.3

decocms@3.84.3

⚠ Under review

Deco CMS — Self-hostable MCP Gateway for managing AI connections and tools

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 214 file(s), 8.63 MB of source, external domains: admin.example.com, ai-site.deco.site, api.decocms.com, api.githubcopilot.com, api.openai.com, app.posthog.com, assets.decocache.com, cdn.captchafox.com, cdn.example.com, cdn.jsdelivr.net, challenges.cloudflare.com, deco.cx, decocms.com, decoims.com, destination-url.com, example.com, example2.com, fb.me, github.com, gravatar.com, images.weserv.nl, js.hcaptcha.com, json-schema.org, login.microsoftonline.com, player.vimeo.com, policies.google.com, posthog.com, prettier.io, prosemirror.net, pub-xxxx.r2.dev, radix-ui.com, raw.githubusercontent.com, react.dev, registry.example.com, sentry.io, studio.decocms.com, typescript-eslint.io, us.i.posthog.com, us.posthog.com, www.anthropic.com, www.decocms.com, www.google.com, www.ibm.com, www.w3.org, www.youtube.com, yandex.com, youtube.com
Oversized source lightweight scan
dist/server/cli.js8.25 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoObfuscatedHighEntropyStringsMinifiedUrlStringsgithub.com
dist/server/server.js4.79 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsCryptoDynamicRequireObfuscatedHighEntropyStringsMinifiedUrlStringsai-site.deco.sitedecoims.comus.i.posthog.com

Source & flagged code

8 flagged · loading source
dist/client/assets/index-CZynoR0p.jsView file
2patternName = generic_password severity = medium line = 2 matchedText = `,g);con...ema:
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/client/assets/index-CZynoR0p.jsView on unpkg · L2
dist/client/assets/index-Cdi_SW9v.jsView file
159|| (${P} === "string" && ${A} && ${A} == +${A} && !(${A} % 1))`).assign(L,(0,r._)`+${A}`);return;case"boolean":O.elseIf((0,r._)`${A} === "false" || ${A} === 0 || ${A} === null`).as... L160: || ${P} === "boolean" || ${A} === null`).assign(L,(0,r._)`[${A}]`)}}}function g({gen:E,parentData:T,parentDataProperty:R},O){E.if((0,r._)`${T} !== undefined`,()=>E.assign((0,r._)`$... L161: missingProperty: ${h},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/client/assets/index-Cdi_SW9v.jsView on unpkg · L159
dist/client/assets/file-type-icon-CzW2A5RE.jsView file
89`);O.forEach(function(C,M){var $=r&&p.length+i,W={type:"text",value:"".concat(C,` L90: `)};if(M===0){var z=d.slice(f+1,g).concat($n({children:[W],className:h.properties.className})),G=R(z,$);p.push(G)}else if(M===O.length-1){var X=d[g+1]&&d[g+1].children&&d[g+1].chil... L91: ?|
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/client/assets/file-type-icon-CzW2A5RE.jsView on unpkg · L89
dist/server/emscripten-module.wasmView file
path = dist/server/emscripten-module.wasm kind = wasm_module sizeBytes = 518880 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/server/emscripten-module.wasmView on unpkg
dist/client/sounds/notification.mp3View file
path = dist/client/sounds/notification.mp3 kind = high_entropy_blob sizeBytes = 61101 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/sounds/notification.mp3View on unpkg
dist/server/server.jsView file
path = dist/server/server.js kind = oversized_source_file sizeBytes = 5026856 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/server/server.jsView on unpkg
dist/server/cli.jsView file
path = dist/server/cli.js kind = oversized_cli_entrypoint sizeBytes = 8654957 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/server/cli.jsView on unpkg
dist/client/assets/index-DpoaFFFe.jsView file
matchType = previous_version_dangerous_delta matchedPackage = decocms@3.84.1 matchedIdentity = npm:ZGVjb2Ntcw:3.84.1 similarity = 0.808 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/client/assets/index-DpoaFFFe.jsView on unpkg

Findings

1 Critical2 High8 Medium8 Low
CriticalPrevious Version Dangerous Deltadist/client/assets/index-DpoaFFFe.js
HighShips High Entropy Blobdist/client/sounds/notification.mp3
HighOversized Source Filedist/server/server.js
MediumSecret Patterndist/client/assets/index-CZynoR0p.js
MediumDynamic Requiredist/client/assets/file-type-icon-CzW2A5RE.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Wasm Moduledist/server/emscripten-module.wasm
MediumOversized Cli Entrypointdist/server/cli.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/client/assets/index-Cdi_SW9v.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings