Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystem
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcedist/cli.jsView file
47}
L48: const { spawnSync } = await import('child_process');
L49: const res = spawnSync(cmd2[0], cmd2.slice(1), {
High
44console.error("usage: deltawright checksum --update -- <test command>\n");
L45: console.error("e.g. deltawright checksum --update -- npx playwright test");
L46: return 1;
L47: }
L48: const { spawnSync } = await import('child_process');
L49: const res = spawnSync(cmd2[0], cmd2.slice(1), {
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/cli.jsView on unpkg · L4430case "mcp": {
L31: const { startServer } = await import(new URL("./mcp/server.js", import.meta.url).href);
L32: await startServer();
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/cli.jsView on unpkg · L30dist/reporter/index.jsView file
419try {
L420: const text = typeof hit.body === "string" ? hit.body : hit.body.toString("utf8");
L421: const parsed = JSON.parse(text);
...
L523: await testInfo.attach(DELTA_ATTACHMENT_NAME, {
L524: body: JSON.stringify(delta),
L525: contentType: "application/json"
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/reporter/index.jsView on unpkg · L419Findings
2 High3 Medium6 Low
HighChild Processdist/cli.js
HighRuntime Package Installdist/cli.js
MediumDynamic Requiredist/cli.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/reporter/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings