registry  /  deepspace  /  0.5.0

deepspace@0.5.0

⚠ Under review

DeepSpace SDK — build real-time collaborative apps on Cloudflare Workers

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 94 file(s), 1.62 MB of source, external domains: aka.ms, api-worker.deep.space, api-worker.internal, api.openai.com, appleid.apple.com, auth.deep.space, dashboard.deep.space, deep.space, deploy-worker.deep.space, example.com, job-room.internal, platform-worker.deep.space, www.w3.org

Source & flagged code

5 flagged · loading source
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = deepspace@0.4.5 matchedIdentity = npm:ZGVlcHNwYWNl:0.4.5 similarity = 0.840 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
4import { defineCommand as defineCommand20, runMain } from "citty"; L5: import { execSync as execSync4 } from "child_process"; L6: import { readFileSync as readFileSync14, existsSync as existsSync15 } from "fs";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L4
1943if (IS_WIN) { L1944: return runPowershell( L1945: `Get-NetTCPConnection -LocalPort ${port} -State Listen -ErrorAction SilentlyContinue | Select-Object -ExpandProperty OwningProcess`
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L1943
4import { defineCommand as defineCommand20, runMain } from "citty"; L5: import { execSync as execSync4 } from "child_process"; L6: import { readFileSync as readFileSync14, existsSync as existsSync15 } from "fs"; ... L20: function createSpinner() { L21: if (process.stdout.isTTY) return p.spinner(); L22: return { ... L247: var PLATFORM_URLS = { L248: auth: "https://auth.deep.space", L249: api: "https://api-worker.deep.space", ... L258: } L259: const data = await res.json(); L260: if (!data.publicKey) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L4
1856console.log("Starting dev server...\n"); L1857: const vite = spawn("npx", ["vite", "--port", String(port), "--strictPort", "--host"], { L1858: cwd: appDir2,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L1856

Findings

1 Critical4 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/cli.js
HighShelldist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighRuntime Package Installdist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings