registry  /  deepspace  /  0.4.5

deepspace@0.4.5

DeepSpace SDK — build real-time collaborative apps on Cloudflare Workers

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 94 file(s), 1.54 MB of source, external domains: aka.ms, api-worker.deep.space, api-worker.internal, api.openai.com, appleid.apple.com, auth.deep.space, dashboard.deep.space, deep.space, deploy-worker.deep.space, example.com, job-room.internal, platform-worker.deep.space, www.w3.org

Source & flagged code

5 flagged · loading source
dist/cli.jsView file
4import { defineCommand as defineCommand18, runMain } from "citty"; L5: import { execSync as execSync5 } from "child_process"; L6: import { readFileSync as readFileSync12, existsSync as existsSync13 } from "fs";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L4
930if (IS_WIN) { L931: return runPowershell( L932: `Get-NetTCPConnection -LocalPort ${port} -State Listen -ErrorAction SilentlyContinue | Select-Object -ExpandProperty OwningProcess`
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L930
2591import { defineCommand as defineCommand13 } from "citty"; L2592: import { execSync as execSync4 } from "child_process"; L2593: var API_URL2 = process.env.DEEPSPACE_API_URL ?? ENVS.prod.api; L2594: async function api(token, path, init) { L2595: const res = await fetch(`${API_URL2}${path}`, { L2596: ...init,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L2591
4import { defineCommand as defineCommand18, runMain } from "citty"; L5: import { execSync as execSync5 } from "child_process"; L6: import { readFileSync as readFileSync12, existsSync as existsSync13 } from "fs"; ... L22: function createSpinner() { L23: if (process.stdout.isTTY) return p.spinner(); L24: return { ... L151: var ENV_URLS = { L152: auth: "https://auth.deep.space", L153: api: "https://api-worker.deep.space", ... L166: } L167: const data = await res.json(); L168: if (!data.publicKey) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L4
1021try { L1022: execSync("npx playwright --version", { cwd: appDir, stdio: "pipe" }); L1023: } catch {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L1021

Findings

5 High3 Medium5 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighSame File Env Network Executiondist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighRuntime Package Installdist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings