registry  /  gabion  /  0.1.20

gabion@0.1.20

⚠ Under review

Gabion development framework — thin CLI for authenticated runtime distribution

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 35.8 KB of source, external domains: api.gabion.dev

Source & flagged code

3 flagged · loading source
dist/delegate.jsView file
2import { existsSync } from "fs"; L3: import { spawnSync } from "child_process"; L4: import { join } from "path";
High
Child Process

Package source references child process execution.

dist/delegate.jsView on unpkg · L2
dist/install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = gabion@0.1.18 matchedIdentity = npm:Z2FiaW9u:0.1.18 similarity = 0.700 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/install.jsView on unpkg
158approveRuntimeScripts(RUNTIME_DIR); L159: const npmResult = spawnSync("npm", ["install", "--omit=dev", "--no-fund", "--no-audit"], { L160: cwd: RUNTIME_DIR, ... L163: if (npm[redacted] !== 0) { L164: return fail("npm install in runtime failed"); L165: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/install.jsView on unpkg · L158

Findings

1 Critical3 High2 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/install.js
HighChild Processdist/delegate.js
HighShell
HighRuntime Package Installdist/install.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings