registry  /  domma-cms  /  0.36.7

domma-cms@0.36.7

File-based CMS powered by Domma and Fastify. Run npx domma-cms my-site to create a new project.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 242 file(s), 2.36 MB of source, external domains: cdn.jsdelivr.net, example.com, fonts.googleapis.com, fonts.gstatic.com, hooks.example.com, player.vimeo.com, schema.org, via.placeholder.com, www.sitemaps.org, www.w3.org, youtu.be

Source & flagged code

4 flagged · loading source
bin/update.jsView file
11import {cpSync, existsSync, mkdirSync, readdirSync, readFileSync, rmSync, statSync, writeFileSync,} from 'node:fs'; L12: import {spawnSync} from 'node:child_process'; L13: import path from 'node:path';
High
Child Process

Package source references child process execution.

bin/update.jsView on unpkg · L11
3* Domma CMS — Project Update L4: * Usage: npx domma-cms update [--yes] [--no-backup] [--no-install] [--dry-run] L5: * ... L11: import {cpSync, existsSync, mkdirSync, readdirSync, readFileSync, rmSync, statSync, writeFileSync,} from 'node:fs'; L12: import {spawnSync} from 'node:child_process'; L13: import path from 'node:path';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/update.jsView on unpkg · L3
admin/js/views/collection-entries.jsView file
1import{api as h}from"../api.js";function M(t){return String(t).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;")}let y=null,g=null,p=[],j=1,w=[...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

admin/js/views/collection-entries.jsView on unpkg · L1
bin/cli.jsView file
7Cross-file remote execution chain: bin/cli.js spawns public/js/site.js; helper contains network access plus dynamic code execution. L7: import {cpSync, existsSync, mkdirSync, readdirSync, readFileSync, writeFileSync} from 'node:fs'; L8: import {spawnSync} from 'node:child_process'; L9: import path from 'node:path'; ... L16: const __filename = fileURLToPath(import.meta.url); L17: const __dirname = path.dirname(__filename); L18: const PACKAGE_ROOT = path.resolve(__dirname, '..'); ... L129: function step(label) { L130: process.stdout.write(` ${label}…`); L131: } ... L190: try { L191: const manifest = JSON.parse(readFileSync(manifestPath, 'utf8')); L192: for (const {path: relPath, content} of (manifest.scaffold?.reset || [])) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/cli.jsView on unpkg · L7

Findings

4 High4 Medium5 Low
HighChild Processbin/update.js
HighShell
HighCross File Remote Execution Contextbin/cli.js
HighRuntime Package Installbin/update.js
MediumDynamic Requireadmin/js/views/collection-entries.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings