registry  /  githolon  /  0.83.0

githolon@0.83.0

githolon — the Nomos developer CLI: Rails-style generators for @githolon/dsl domains + the package compiler. Kernel-independent.

Static Scan Results

scanned 7h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 531 KB of source, external domains: 127.0.0.1, kjbcjkihxskuwwfdqklt.supabase.co, nomos.captainapp.co.uk, unborn.invalid

Source & flagged code

5 flagged · loading source
dist/cli.mjsView file
5288patternName = supabase_service_key severity = critical line = 5288 matchedText = DEFAULT_...SI";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/cli.mjsView on unpkg · L5288
5288patternName = supabase_service_key severity = critical line = 5288 matchedText = DEFAULT_...SI";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/cli.mjs

dist/cli.mjsView on unpkg · L5288
2911try { L2912: return dirname2(createRequire(pathToFileURL(join3(fromDir, "noop.js")).href).resolve(`${name}/package.json`)); L2913: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.mjsView on unpkg · L2911
dist/dev-server.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = githolon@0.82.0 matchedIdentity = npm:Z2l0aG9sb24:0.82.0 similarity = 1.000 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/dev-server.mjsView on unpkg
44const encoding = typeof opts === "string" ? opts : opts && opts.encoding; L45: return encoding ? new TextDecoder().decode(data) : new Uint8Array(data); L46: }, ... L193: async function lsRefs(remote, headers = {}, { service = "git-upload-pack", prefix = null } = {}) { L194: const r = await fetch(`${remote}/info/refs?service=${service}`, { headers }); L195: if (!r.ok) { ... L230: headers: { "content-type": "application/x-git-upload-pack-request", "accept": "application/x-git-upload-pack-result", ...headers }, L231: body: concatBytes(parts) L232: }); ... L328: // ../adapter/engine.mjs L329: import { WASI, File, Directory, OpenFile, ConsoleStdout, PreopenDirectory } from "@bjorn3/browser_wasi_shim"; L330: function b64Bytes(bytes) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/dev-server.mjsView on unpkg · L44

Findings

2 Critical1 High4 Medium7 Low
CriticalCritical Secretdist/cli.mjs
CriticalSecret Patterndist/cli.mjs
HighPrevious Version Dangerous Deltadist/dev-server.mjs
MediumDynamic Requiredist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/dev-server.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License