registry  /  gina  /  0.5.15

gina@0.5.15

⚠ Under review

Node.js MVC framework with built-in HTTP/2, multi-bundle architecture, and scope-based data isolation — no Express dependency

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 22 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 309 file(s), 6.77 MB of source, external domains: api.deepseek.com, api.groq.com, api.mistral.ai, api.perplexity.ai, api.together.xyz, api.x.ai, blog.couchbase.com, blog.stevenlevithan.com, bundle-dev-scope-v1.docmain.com, dashscope.aliyuncs.com, developer.couchbase.com, developer.mozilla.org, developers.google.com, domain.local, en.wikipedia.org, example.com, generativelanguage.googleapis.com, gina.io, github.com, hstspreload.org, html.spec.whatwg.org, modelcontextprotocol.io, nodejs.org, planetcalc.com, requirejs.org, stackoverflow.com, stuk.github.io, www.npmjs.com, www.w3.org

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts.preinstall = node script/pre_install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
framework/v0.5.15/core/controller/controller.jsView file
matchType = previous_version_dangerous_delta matchedPackage = gina@0.5.9 matchedIdentity = npm:Z2luYQ:0.5.9 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

framework/v0.5.15/core/controller/controller.jsView on unpkg
13const { pipeline } = require('stream/promises'); L14: const exec = require('child_process').exec; L15: var util = require('util');
High
Child Process

Package source references child process execution.

framework/v0.5.15/core/controller/controller.jsView on unpkg · L13
framework/v0.5.15/lib/cmd/framework/tail.jsView file
279// exec the binary directly so no part of the parsed log content reaches L280: // `/bin/sh -c`. The saved argv always carries `bundle:start` (bin/gina L281: // rewrites restart->start), so the guard never blocks a legitimate restart.
High
Shell

Package source references shell execution.

framework/v0.5.15/lib/cmd/framework/tail.jsView on unpkg · L279
framework/v0.5.15/core/connectors/couchbase/index.jsView file
394if (optionsArr) { L395: // CB-QUAL-2 fix: replaced eval() with JSON.parse() for @options parsing. L396: // @options uses JavaScript object literal syntax with unquoted keys
Low
Eval

Package source references a known benign dynamic code generation pattern.

framework/v0.5.15/core/connectors/couchbase/index.jsView on unpkg · L394
framework/v0.5.15/core/connectors/postgresql/index.jsView file
9L10: var fs = require('fs'); L11: var sqlParser = require('./../sql-parser'); // #SQL1 state-machine comment stripper
Medium
Dynamic Require

Package source references dynamic require/import behavior.

framework/v0.5.15/core/connectors/postgresql/index.jsView on unpkg · L9
framework/v0.5.15/core/server.isaac.jsView file
6const crypto = require('crypto'); L7: const { execSync, exec } = require('child_process'); L8: const {EventEmitter} = require('events'); L9: // #B10 fix: engine.io is only needed when options.ioServer is configured (WebSocket support). L10: // Require it lazily so bundles without WebSocket support don't crash if engine.io is absent. ... L17: var _isDebugLog = function() { L18: return process.env.LOG_LEVEL === 'debug' || process.env.LOG_LEVEL === 'trace'; L19: };
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

framework/v0.5.15/core/server.isaac.jsView on unpkg · L6
framework/v0.5.15/core/gna.jsView file
28Cross-file remote execution chain: framework/v0.5.15/core/gna.js spawns framework/v0.5.[redacted].js; helper contains network access plus dynamic code execution. L28: const os = require('os'); L29: process.env.UV_THREADPOOL_SIZE = (os.cpus().length); L30: // #P1 — V8 bytecode cache. Node.js >= 22.8 caches compiled modules to disk so ... L33: if (!process.env.NODE_COMPILE_CACHE) { L34: process.env.NODE_COMPILE_CACHE = os.homedir() + '/.gina/cache/v8'; L35: } ... L48: process.env.GINA_V8_POINTER_COMPRESSED = 'true'; L49: process.stdout.write('[gina] V8 pointer compression active — heap limit: ' L50: + Math.round(_heapLimit / (1024 * 1024)) + ' MB per isolate\n'); ... L137: L138: var importedContext = JSON.parse( fs.readFileSync(_(ctxFilename, true)) ); L139:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

framework/v0.5.15/core/gna.jsView on unpkg · L28
script/smoke_in_container.jsView file
225L226: // 1. Install the candidate globally. Node: `npm install -g` (exercises L227: // pre/post-install). Bun: `bun add -g` — note Bun blocks dependency ... L233: log('bun add -g ' + TARBALL + ' ...'); L234: inst = spawnSync('bun', ['add', '-g', TARBALL], { stdio: 'inherit', timeout: 600000 }); L235: } else {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

script/smoke_in_container.jsView on unpkg · L225
framework/v0.5.15/core/asset/plugin/dist/vendor/gina/css/gina.min.css.brView file
path = framework/v0.5.[redacted].min.css.br kind = compressed_blob sizeBytes = 660 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

framework/v0.5.15/core/asset/plugin/dist/vendor/gina/css/gina.min.css.brView on unpkg
framework/v0.5.15/core/asset/plugin/dist/vendor/gina/inspector/have_heart_one-webfont.woff2View file
path = framework/v0.5.[redacted]have_heart_one-webfont.woff2 kind = high_entropy_blob sizeBytes = 144060 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

framework/v0.5.15/core/asset/plugin/dist/vendor/gina/inspector/have_heart_one-webfont.woff2View on unpkg
framework/v0.5.15/lib/secrets/src/main.jsView file
40patternName = generic_password severity = medium line = 40 matchedText = * var co...' };
Medium
Secret Pattern

Hardcoded password in framework/v0.5.15/lib/secrets/src/main.js

framework/v0.5.15/lib/secrets/src/main.jsView on unpkg · L40
233patternName = generic_password severity = medium line = 233 matchedText = * var co...] };
Medium
Secret Pattern

Hardcoded password in framework/v0.5.15/lib/secrets/src/main.js

framework/v0.5.15/lib/secrets/src/main.jsView on unpkg · L233
265patternName = generic_password severity = medium line = 265 matchedText = * db...' },
Medium
Secret Pattern

Hardcoded password in framework/v0.5.15/lib/secrets/src/main.js

framework/v0.5.15/lib/secrets/src/main.jsView on unpkg · L265

Findings

1 Critical7 High8 Medium6 Low
CriticalPrevious Version Dangerous Deltaframework/v0.5.15/core/controller/controller.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processframework/v0.5.15/core/controller/controller.js
HighShellframework/v0.5.15/lib/cmd/framework/tail.js
HighSame File Env Network Executionframework/v0.5.15/core/server.isaac.js
HighCross File Remote Execution Contextframework/v0.5.15/core/gna.js
HighRuntime Package Installscript/smoke_in_container.js
HighShips High Entropy Blobframework/v0.5.15/core/asset/plugin/dist/vendor/gina/inspector/have_heart_one-webfont.woff2
MediumDynamic Requireframework/v0.5.15/core/connectors/postgresql/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobframework/v0.5.15/core/asset/plugin/dist/vendor/gina/css/gina.min.css.br
MediumStructural Risk Force Deep Review
MediumSecret Patternframework/v0.5.15/lib/secrets/src/main.js
MediumSecret Patternframework/v0.5.15/lib/secrets/src/main.js
MediumSecret Patternframework/v0.5.15/lib/secrets/src/main.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalframework/v0.5.15/core/connectors/couchbase/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings