registry  /  extension-develop  /  4.0.5

extension-develop@4.0.5

⚠ Under review

Develop, build, preview, and package Extension.js projects.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 54 file(s), 4.84 MB of source, external domains: codeload.github.com, crbug.com, developer.chrome.com, example.invalid, extension.js.org, github.com, radix-ui.com, react.dev, rspack.rs, www.typescriptlang.org, www.w3.org

Source & flagged code

7 flagged · loading source
dist/839.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = extension-develop@4.0.1 matchedIdentity = npm:ZXh0ZW5zaW9uLWRldmVsb3A:4.0.1 similarity = 0.574 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/839.mjsView on unpkg
2import { createRequire } from "module"; L3: import { execFileSync, spawn, spawnSync as external_child_process_spawnSync } from "child_process"; L4: import { buildExecEnv, [redacted] } from "prefers-yarn";
High
Child Process

Package source references child process execution.

dist/839.mjsView on unpkg · L2
356...useShell ? { L357: shell: true L358: } : {}
High
Shell

Package source references shell execution.

dist/839.mjsView on unpkg · L356
2Cross-file remote execution chain: dist/839.mjs spawns dist/0~rspack-config.mjs; helper contains network access plus dynamic code execution. L2: import { createRequire } from "module"; L3: import { execFileSync, spawn, spawnSync as external_child_process_spawnSync } from "child_process"; L4: import { buildExecEnv, [redacted] } from "prefers-yarn"; ... L27: const cjsRequire = createRequire(import.meta.url); L28: if (!process.env.EXTENSION_JS_OPTIONAL_DEPS_VERSION) process.env.EXTENSION_JS_OPTIONAL_DEPS_VERSION = package_namespaceObject.rE; L29: function resolveDevelopRootFromDir(dir) { L30: try { L31: const packageJsonPath = __rspack_external_path.join(dir, 'package.json'); L32: if (!__rspack_external_fs.existsSync(packageJsonPath)) return; ... L53: if (__rspack_external_fs.existsSync(packageJsonPath)) try { L54: const pkg = JSON.parse(__rspack_external_fs.readFileSync(packageJsonPath, 'utf-8')); L55: if ('extension-develop' === pkg.name) return packageRoot;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/839.mjsView on unpkg · L2
1import { createRequire as __extjsCreateRequire } from "node:module"; const require = __extjsCreateRequire(import.meta.url); L2: import { createRequire } from "module";
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/839.mjsView on unpkg · L1
dist/0~rspack-config.mjsView file
1715const req = createRequire(configPath); L1716: const fn = new Function('require', 'module', 'exports', '__filename', '__dirname', source); L1717: fn(req, moduleObj, exportsObj, configPath, __rspack_external_path.dirname(configPath));
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/0~rspack-config.mjsView on unpkg · L1715
74try { L75: return JSON.parse(__rspack_external_fs.readFileSync(filePath, 'utf-8')); L76: } catch { ... L82: while(true){ L83: const packageJsonPath = __rspack_external_path.join(currentDir, 'package.json'); L84: const packageJson = tryReadJson(packageJsonPath); ... L228: trackChange(projectPath, folder, change, filePath) { L229: if ('true' === process.env.EXTENSION_AUTHOR_MODE) console.log(specialFolderChangeDetected('add' === change ? 'add' : 'remove', folder, __rspack_external_path.relative(projectPath, ... L230: this.pendingChanges.push({ ... L236: collectChanges(compiler) { L237: const projectPath = compiler.options.context || process.cwd(); L238: this.snapshotFolderFiles(projectPath);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/0~rspack-config.mjsView on unpkg · L74

Findings

1 Critical3 High4 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/839.mjs
HighChild Processdist/839.mjs
HighShelldist/839.mjs
HighCross File Remote Execution Contextdist/839.mjs
MediumDynamic Requiredist/839.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/0~rspack-config.mjs
LowWeak Cryptodist/0~rspack-config.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings