registry  /  flex-cli  /  1.16.0

flex-cli@1.16.0

Sharetribe Flex CLI

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 801 KB of source, external domains: flex-build-api.sharetribe.com, stripe.com

Source & flagged code

3 flagged · loading source
target/min.jsView file
28function Zb(a,b){Yb(a);if(b){b=Number(b);if(isNaN(b)||0>b)throw Error("Bad port number "+b);a.je=b}else a.je=null}m.getPath=function(){return this.ie};function $b(a,b,c){Yb(a);b in... L29: m.Cg=function(a){this.rc=a;this.Mc&&this.Mc.Cg(a)};function ac(a,b){return a?b?decodeURI(a.replace(/%25/g,"%2525")):decodeURIComponent(a):""}function cc(a,b,c){return"string"===typ... L30: function jc(a){a.lb||(a.lb=new Qb,a.Sa=0,a.fc&&Vb(a.fc,function(b,c){a.add(decodeURIComponent(b.replace(/\+/g," ")),c)}))}m=bc.prototype;m.Zg=function(){jc(this);return this.Sa};m.... ... L540: function vn(a){return null!=a?q===a.hi?!0:!1:!1}function wn(a,b,c){var d=Error(a);this.message=a;this.data=b;this.Qg=c;this.name=d.name;this.description=d.description;this.number=d... L541: wn.prototype.ca=function(a,b,c){le(b,"#error {:message ");wm(this.message,b,c);t(this.data)&&(le(b,", :data "),wm(this.data,b,c));t(this.Qg)&&(le(b,", :cause "),wm(this.Qg,b,c));re... L542: var An="arguments abstract await boolean break byte case catch char class const continue debugger default delete do double else enum export extends final finally float for function... L543: function Cn(a){null==Bn&&(Bn=bd(function(b,c){b[c]=!0
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

target/min.jsView on unpkg · L28
546function In(a,b){this.he=a;this.name=b;this.l=6291456;this.P=0}function Jn(a,b){var c=En(v.ra(b)),d=a.he;return null!==d&&c in d?(b=Xe.g(v.ra(a.name),v.ra(b)),new $e(Hn(a.he,c),b,n... L547: function Mn(a,b){for(;;){if(null==a)return null;if(null==b)return a;a=zb(a,M(b));b=O(b)}}function Nn(a){var b=En(v.ra(a)).split(".");return Mn(function(){try{var c=eval(M(b));retur... L548: function On(){var a=Pn,b=Nn(a),c=new In(b,a);return bd(function(d,e){var h=Xe.ra(Fn(e));return Zf.h(d,h,new $e(function(){return zb(b,e)},Xe.g(v.ra(a),v.ra(h)),new r(null,1,[Kn,c],...
Low
Eval

Package source references a known benign dynamic code generation pattern.

target/min.jsView on unpkg · L546
28function Zb(a,b){Yb(a);if(b){b=Number(b);if(isNaN(b)||0>b)throw Error("Bad port number "+b);a.je=b}else a.je=null}m.getPath=function(){return this.ie};function $b(a,b,c){Yb(a);b in... L29: m.Cg=function(a){this.rc=a;this.Mc&&this.Mc.Cg(a)};function ac(a,b){return a?b?decodeURI(a.replace(/%25/g,"%2525")):decodeURIComponent(a):""}function cc(a,b,c){return"string"===typ... L30: function jc(a){a.lb||(a.lb=new Qb,a.Sa=0,a.fc&&Vb(a.fc,function(b,c){a.add(decodeURIComponent(b.replace(/\+/g," ")),c)}))}m=bc.prototype;m.Zg=function(){jc(this);return this.Sa};m.... ... L540: function vn(a){return null!=a?q===a.hi?!0:!1:!1}function wn(a,b,c){var d=Error(a);this.message=a;this.data=b;this.Qg=c;this.name=d.name;this.description=d.description;this.number=d... L541: wn.prototype.ca=function(a,b,c){le(b,"#error {:message ");wm(this.message,b,c);t(this.data)&&(le(b,", :data "),wm(this.data,b,c));t(this.Qg)&&(le(b,", :cause "),wm(this.Qg,b,c));re... L542: var An="arguments abstract await boolean break byte case catch char class const continue debugger default delete do double else enum export extends final finally float for function... L543: function Cn(a){null==Bn&&(Bn=bd(function(b,c){b[c]=!0
Low
Weak Crypto

Package source references weak cryptographic algorithms.

target/min.jsView on unpkg · L28

Findings

1 High3 Medium6 Low
HighObfuscated Payload Loadertarget/min.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaltarget/min.js
LowWeak Cryptotarget/min.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings