registry  /  forgedock  /  1.1.11

forgedock@1.1.11

Autonomous dev pipeline for Claude Code. GitHub as institutional memory — every issue, PR, and annotation survives context resets and makes the next agent smarter.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis completed at 93.0% confidence. No malicious behavior was detected; 15 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 51 file(s), 895 KB of source, external domains: acme.io, api.acme.io, api.anthropic.com, api.example.com, api.github.com, claude.com, cli.github.com, dev.to, docs.anthropic.com, forgedock.com, git-scm.com, gitforwindows.org, github.com, gql.hashnode.com, umami.acme.io

Source & flagged code

7 flagged · loading source
examples/forgedock-demo/src/db.jsView file
36// eslint-disable-next-line no-new-func L37: const predicate = new Function('row', `with (row) { return (${whereClause}); }`); L38: return notes.filter((row) => {
Low
Eval

Package source references a known benign dynamic code generation pattern.

examples/forgedock-demo/src/db.jsView on unpkg · L36
bin/hooks/pre-tool-use.mjsView file
5import { fileURLToPath, pathToFileURL } from "url"; L6: const _require = createRequire(import.meta.url); L7:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/hooks/pre-tool-use.mjsView on unpkg · L5
bin/forgedock.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = forgedock@1.1.9 matchedIdentity = npm:Zm9yZ2Vkb2Nr:1.1.9 similarity = 0.922 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/forgedock.mjsView on unpkg
15} from "fs"; L16: import { execSync, execFileSync } from "child_process"; L17: import { homedir } from "os"; L18: import https from "https"; L19: import { ... L85: const __filename = fileURLToPath(import.meta.url); L86: const __dirname = dirname(__filename); L87: ... L148: // os.homedir() as the always-available fallback (no hard exit — see #744). L149: const HOME = process.env.HOME || process.env.USERPROFILE || homedir(); L150: ... L252: * Strip JSONC syntax (single-line comments, block comments, trailing commas)
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/forgedock.mjsView on unpkg · L15
examples/forgedock-demo/bootstrap.shView file
path = examples/forgedock-demo/bootstrap.sh kind = build_helper sizeBytes = 4902 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

examples/forgedock-demo/bootstrap.shView on unpkg
docs/CONFIG.mdView file
464patternName = generic_password severity = medium line = 464 matchedText = password...ord"
Medium
Secret Pattern

Hardcoded password in docs/CONFIG.md

docs/CONFIG.mdView on unpkg · L464
473patternName = generic_password severity = medium line = 473 matchedText = password...ord"
Medium
Secret Pattern

Hardcoded password in docs/CONFIG.md

docs/CONFIG.mdView on unpkg · L473

Findings

1 High8 Medium6 Low
HighPrevious Version Dangerous Deltabin/forgedock.mjs
MediumDynamic Requirebin/hooks/pre-tool-use.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/forgedock.mjs
MediumShips Build Helperexamples/forgedock-demo/bootstrap.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndocs/CONFIG.md
MediumSecret Patterndocs/CONFIG.md
LowScripts Present
LowEvalexamples/forgedock-demo/src/db.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License