registry  /  extension-develop  /  4.0.2

extension-develop@4.0.2

⚠ Under review

Develop, build, preview, and package Extension.js projects.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 54 file(s), 4.84 MB of source, external domains: codeload.github.com, crbug.com, developer.chrome.com, example.invalid, extension.js.org, github.com, radix-ui.com, react.dev, rspack.rs, www.typescriptlang.org, www.w3.org

Source & flagged code

7 flagged · loading source
dist/839.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = extension-develop@4.0.1 matchedIdentity = npm:ZXh0ZW5zaW9uLWRldmVsb3A:4.0.1 similarity = 0.944 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/839.mjsView on unpkg
2import { createRequire } from "module"; L3: import { execFileSync, spawn, spawnSync as external_child_process_spawnSync } from "child_process"; L4: import { buildExecEnv, [redacted] } from "prefers-yarn";
High
Child Process

Package source references child process execution.

dist/839.mjsView on unpkg · L2
360...useShell ? { L361: shell: true L362: } : {}
High
Shell

Package source references shell execution.

dist/839.mjsView on unpkg · L360
2Cross-file remote execution chain: dist/839.mjs spawns dist/0~rspack-config.mjs; helper contains network access plus dynamic code execution. L2: import { createRequire } from "module"; L3: import { execFileSync, spawn, spawnSync as external_child_process_spawnSync } from "child_process"; L4: import { buildExecEnv, [redacted] } from "prefers-yarn"; ... L27: const raw = 'string' == typeof text ? text : String(text || ''); L28: const s = raw && 0xfeff === raw.charCodeAt(0) ? raw.slice(1) : raw; L29: return JSON.parse(s || '{}'); ... L31: const cjsRequire = createRequire(import.meta.url); L32: if (!process.env.EXTENSION_JS_OPTIONAL_DEPS_VERSION) process.env.EXTENSION_JS_OPTIONAL_DEPS_VERSION = package_namespaceObject.rE; L33: function resolveDevelopRootFromDir(dir) { L34: try { L35: const packageJsonPath = __rspack_external_path.join(dir, 'package.json'); L36: if (!__rspack_external_fs.existsSync(packageJsonPath)) return;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/839.mjsView on unpkg · L2
1import { createRequire as __extjsCreateRequire } from "node:module"; const require = __extjsCreateRequire(import.meta.url); L2: import { createRequire } from "module";
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/839.mjsView on unpkg · L1
dist/0~rspack-config.mjsView file
1759const req = createRequire(configPath); L1760: const fn = new Function('require', 'module', 'exports', '__filename', '__dirname', source); L1761: fn(req, moduleObj, exportsObj, configPath, __rspack_external_path.dirname(configPath));
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/0~rspack-config.mjsView on unpkg · L1759
71try { L72: return JSON.parse(__rspack_external_fs.readFileSync(filePath, 'utf-8')); L73: } catch { ... L79: while(true){ L80: const packageJsonPath = __rspack_external_path.join(currentDir, 'package.json'); L81: const packageJson = tryReadJson(packageJsonPath); ... L225: trackChange(projectPath, folder, change, filePath) { L226: if ('true' === process.env.EXTENSION_AUTHOR_MODE) console.log(specialFolderChangeDetected('add' === change ? 'add' : 'remove', folder, __rspack_external_path.relative(projectPath, ... L227: this.pendingChanges.push({ ... L233: collectChanges(compiler) { L234: const projectPath = compiler.options.context || process.cwd(); L235: this.snapshotFolderFiles(projectPath);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/0~rspack-config.mjsView on unpkg · L71

Findings

1 Critical3 High4 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/839.mjs
HighChild Processdist/839.mjs
HighShelldist/839.mjs
HighCross File Remote Execution Contextdist/839.mjs
MediumDynamic Requiredist/839.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/0~rspack-config.mjs
LowWeak Cryptodist/0~rspack-config.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings