registry  /  decocms  /  3.95.0

decocms@3.95.0

Deco CMS — Self-hostable MCP Gateway for managing AI connections and tools

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 216 file(s), 8.70 MB of source, external domains: admin.example.com, ai-site.deco.site, api.decocms.com, api.githubcopilot.com, api.openai.com, app.posthog.com, assets.decocache.com, cdn.captchafox.com, cdn.example.com, cdn.jsdelivr.net, challenges.cloudflare.com, deco.cx, decocms.com, decoims.com, destination-url.com, example.com, example2.com, fb.me, github.com, gravatar.com, images.weserv.nl, js.hcaptcha.com, json-schema.org, login.microsoftonline.com, player.vimeo.com, policies.google.com, posthog.com, prettier.io, prosemirror.net, pub-xxxx.r2.dev, radix-ui.com, raw.githubusercontent.com, react.dev, registry.example.com, sentry.io, studio.decocms.com, typescript-eslint.io, us.i.posthog.com, us.posthog.com, www.anthropic.com, www.decocms.com, www.google.com, www.ibm.com, www.w3.org, www.youtube.com, yandex.com, youtube.com
Oversized source lightweight scan
dist/server/cli.js8.26 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoObfuscatedHighEntropyStringsMinifiedUrlStringsgithub.com
dist/server/server.js4.80 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsCryptoDynamicRequireObfuscatedHighEntropyStringsMinifiedUrlStringsai-site.deco.sitedecoims.comus.i.posthog.com

Source & flagged code

7 flagged · loading source
dist/client/assets/index-B_qzQn-U.jsView file
2patternName = generic_password severity = medium line = 2 matchedText = `,y);con...ema:
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/client/assets/index-B_qzQn-U.jsView on unpkg · L2
dist/client/assets/index-DMja6jML.jsView file
159|| (${P} === "string" && ${A} && ${A} == +${A} && !(${A} % 1))`).assign(L,(0,r._)`+${A}`);return;case"boolean":O.elseIf((0,r._)`${A} === "false" || ${A} === 0 || ${A} === null`).as... L160: || ${P} === "boolean" || ${A} === null`).assign(L,(0,r._)`[${A}]`)}}}function g({gen:E,parentData:T,parentDataProperty:R},O){E.if((0,r._)`${T} !== undefined`,()=>E.assign((0,r._)`$... L161: missingProperty: ${h},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/client/assets/index-DMja6jML.jsView on unpkg · L159
dist/client/assets/file-type-icon-B7sy06SP.jsView file
89`);O.forEach(function(C,M){var $=r&&p.length+i,W={type:"text",value:"".concat(C,` L90: `)};if(M===0){var z=d.slice(f+1,g).concat($n({children:[W],className:h.properties.className})),G=R(z,$);p.push(G)}else if(M===O.length-1){var X=d[g+1]&&d[g+1].children&&d[g+1].chil... L91: ?|
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/client/assets/file-type-icon-B7sy06SP.jsView on unpkg · L89
dist/server/emscripten-module.wasmView file
path = dist/server/emscripten-module.wasm kind = wasm_module sizeBytes = 518880 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/server/emscripten-module.wasmView on unpkg
dist/client/sounds/notification.mp3View file
path = dist/client/sounds/notification.mp3 kind = high_entropy_blob sizeBytes = 61101 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/sounds/notification.mp3View on unpkg
dist/server/server.jsView file
path = dist/server/server.js kind = oversized_source_file sizeBytes = 5028817 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/server/server.jsView on unpkg
dist/server/cli.jsView file
path = dist/server/cli.js kind = oversized_cli_entrypoint sizeBytes = 8662400 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/server/cli.jsView on unpkg

Findings

2 High8 Medium8 Low
HighShips High Entropy Blobdist/client/sounds/notification.mp3
HighOversized Source Filedist/server/server.js
MediumSecret Patterndist/client/assets/index-B_qzQn-U.js
MediumDynamic Requiredist/client/assets/file-type-icon-B7sy06SP.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Wasm Moduledist/server/emscripten-module.wasm
MediumOversized Cli Entrypointdist/server/cli.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/client/assets/index-DMja6jML.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings