registry  /  forjajs  /  1.1.5

forjajs@1.1.5

Forja — framework CLI-first de orquestração multiagente, memória hierárquica e geração de projetos com IA

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 171 file(s), 434 KB of source, external domains: cdn.tailwindcss.com, github.com

Source & flagged code

6 flagged · loading source
bin/forja.mjsView file
16import path from 'node:path'; L17: import { spawnSync } from 'node:child_process'; L18: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

bin/forja.mjsView on unpkg · L16
lib/core/release.mjsView file
264status: 'fail', L265: detail: `${quebrados.length} import(s) sem destino no tarball: ${quebrados.slice(0, 3).join('; ')}`, L266: fix: 'adicione o arquivo ao files[] do package.json',
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/core/release.mjsView on unpkg · L264
scripts/hook-user-prompt.mjsView file
6* - stdin: JSON com { prompt, session_id, ... } L7: * - stdout: JSON com { hookSpecificOutput: { hookEventName, additionalContext } } ou vazio L8: * ... L29: const __filename = fileURLToPath(import.meta.url); L30: const __dirname = path.dirname(__filename); L31: const root = path.resolve(__dirname, '..'); ... L52: try { L53: const cfg = JSON.parse(fs.readFileSync(path.join(root, '.memoryrc.json'), 'utf8')); L54: return cfg.hooks || {}; ... L58: function keywordTriggered(prompt) { L59: if (process.env.FRAMEWORK_HOOK_INJECT !== '1') return false; L60: if (!prompt) return false;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

scripts/hook-user-prompt.mjsView on unpkg · L6
scripts/hook-session-start.mjsView file
47package = forjajs; repositoryIdentity = forja; dependency = better-sqlite3 L47: const { getWorkspaceDbPath } = await import('../lib/workspace.mjs'); L48: const { default: Database } = await import('better-sqlite3'); L49: const db = new Database(getWorkspaceDbPath(), { readonly: true });
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

scripts/hook-session-start.mjsView on unpkg · L47
scripts/tools-doctor.mjsView file
20L21: import { spawnSync } from 'node:child_process'; L22: ... L29: role: 'Code intelligence: chamadores, blast radius, mapa de impacto (ADR-0017).', L30: install: 'npm i -g @codegraph/cli', L31: gate: 'npm run code:check / code:impact',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/tools-doctor.mjsView on unpkg · L20
scripts/pre-commit.shView file
path = scripts/pre-commit.sh kind = build_helper sizeBytes = 4414 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/pre-commit.shView on unpkg

Findings

4 High5 Medium6 Low
HighChild Processbin/forja.mjs
HighShell
HighCopied Package Dependency Bridgescripts/hook-session-start.mjs
HighRuntime Package Installscripts/tools-doctor.mjs
MediumDynamic Requirelib/core/release.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/pre-commit.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptoscripts/hook-user-prompt.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings