registry  /  dev-loops  /  0.9.0

dev-loops@0.9.0

⚠ Under review

Agent-harness-agnostic dev-loop infrastructure (Pi and Claude Code) for reusable local and remote development loops

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 161 file(s), 2.07 MB of source, external domains: github.com, www.w3.org
Oversized source lightweight scan
scripts/loop/inspect-run-viewer/vendor/mermaid.min.js3.16 MB file, sampled 256 KB
ChildProcessHighEntropyStringsMinifiedUrlStringsgithub.comwww.w3.org

Source & flagged code

6 flagged · loading source
extension/post-merge-update.tsView file
101async function defaultResolveRepoContext(exec: ExtensionHarnessAdapter['exec'], cwd: string): Promise<RepoContext> { L102: const rootResult = await exec('git rev-parse --show-toplevel', { L103: cwd,
High
Child Process

Package source references child process execution.

extension/post-merge-update.tsView on unpkg · L101
scripts/loop/ui-review-provision.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = dev-loops@0.7.1 matchedIdentity = npm:ZGV2LWxvb3Bz:0.7.1 similarity = 0.658 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/loop/ui-review-provision.mjsView on unpkg
216const cwd = runCwd; L217: const child = spawn(recipe.command, { cwd, shell: true, detached: true, stdio: "ignore" }); L218: child.unref();
High
Shell

Package source references shell execution.

scripts/loop/ui-review-provision.mjsView on unpkg · L216
154} catch { L155: return false; // absent — npm install creates a real dir L156: } ... L166: const materialized = ensureOwnNodeModules(worktreePath); L167: execFileSync("npm", ["install"], { cwd: worktreePath, encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] }); L168: return Promise.resolve({ ok: true, detail: materialized ? "npm install (materialized own node_modules)" : "npm install" });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/loop/ui-review-provision.mjsView on unpkg · L154
scripts/github/build-adjacent-bundle.mjsView file
114* - import ... from "x" / export ... from "x" L115: * - import("x") (dynamic import) L116: * - require("x")
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/github/build-adjacent-bundle.mjsView on unpkg · L114
scripts/loop/inspect-run-viewer/vendor/mermaid.min.jsView file
path = scripts/loop/inspect-run-viewer/vendor/mermaid.min.js kind = oversized_source_file sizeBytes = 3312967 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

scripts/loop/inspect-run-viewer/vendor/mermaid.min.jsView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltascripts/loop/ui-review-provision.mjs
HighChild Processextension/post-merge-update.ts
HighShellscripts/loop/ui-review-provision.mjs
HighRuntime Package Installscripts/loop/ui-review-provision.mjs
HighOversized Source Filescripts/loop/inspect-run-viewer/vendor/mermaid.min.js
MediumDynamic Requirescripts/github/build-adjacent-bundle.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings