registry  /  githolon  /  0.98.2

githolon@0.98.2

githolon — the Nomos developer CLI: Rails-style generators for @githolon/dsl domains + the package compiler. Kernel-independent.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 597 KB of source, external domains: 127.0.0.1, dev-idp.local, kjbcjkihxskuwwfdqklt.supabase.co, nomos.captainapp.co.uk, unborn.invalid

Source & flagged code

4 flagged · loading source
dist/cli.mjsView file
5512patternName = supabase_service_key severity = critical line = 5512 matchedText = DEFAULT_...SI";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/cli.mjsView on unpkg · L5512
5512patternName = supabase_service_key severity = critical line = 5512 matchedText = DEFAULT_...SI";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/cli.mjs

dist/cli.mjsView on unpkg · L5512
2985try { L2986: return dirname2(createRequire(pathToFileURL(join3(fromDir, "noop.js")).href).resolve(`${name}/package.json`)); L2987: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.mjsView on unpkg · L2985
dist/dev-server.mjsView file
44const encoding = typeof opts === "string" ? opts : opts && opts.encoding; L45: return encoding ? new TextDecoder().decode(data) : new Uint8Array(data); L46: }, ... L195: async function lsRefs(remote, headers = {}, { service = "git-upload-pack", prefix = null } = {}) { L196: const r = await fetch(`${remote}/info/refs?service=${service}`, { headers }); L197: if (!r.ok) { ... L232: headers: { "content-type": "application/x-git-upload-pack-request", "accept": "application/x-git-upload-pack-result", ...headers }, L233: body: concatBytes(parts) L234: }); ... L331: // ../adapter/engine.ts L332: import { WASI, File, Directory, OpenFile, ConsoleStdout, PreopenDirectory } from "@bjorn3/browser_wasi_shim"; L333: function b64Bytes(bytes) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/dev-server.mjsView on unpkg · L44

Findings

2 Critical4 Medium7 Low
CriticalCritical Secretdist/cli.mjs
CriticalSecret Patterndist/cli.mjs
MediumDynamic Requiredist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/dev-server.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License