registry  /  gabion  /  0.1.16

gabion@0.1.16

Gabion development framework — thin CLI for authenticated runtime distribution

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 31.9 KB of source, external domains: api.gabion.dev

Source & flagged code

2 flagged · loading source
dist/delegate.jsView file
2import { existsSync } from "fs"; L3: import { spawnSync } from "child_process"; L4: import { join } from "path";
High
Child Process

Package source references child process execution.

dist/delegate.jsView on unpkg · L2
dist/install.jsView file
158approveRuntimeScripts(RUNTIME_DIR); L159: const npmResult = spawnSync("npm", ["install", "--omit=dev"], { L160: cwd: RUNTIME_DIR, ... L163: if (npm[redacted] !== 0) { L164: return fail("npm install in runtime failed"); L165: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/install.jsView on unpkg · L158

Findings

3 High2 Medium4 Low
HighChild Processdist/delegate.js
HighShell
HighRuntime Package Installdist/install.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings