registry  /  hdoc-tools  /  0.55.0

hdoc-tools@0.55.0

Hornbill HDocBook Development Support Tool

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 680 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, docs.hornbill.com, en.wikipedia.org, engelschall.com, github.com, hdoc-mermaid-intercept.invalid, jquery.org, lodash.com, openjsf.org, opensource.org, tldrlegal.com, underscorejs.org, www.w3.org
Oversized source lightweight scan
ui/js/mermaid.min.js4.49 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedTelemetryUrlStringsen.wikipedia.orgengelschall.comgithub.comjquery.orglodash.comopenjsf.orgopensource.orgtldrlegal.comunderscorejs.orgwww.w3.org

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.preinstall = node validateNodeVer
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = node validateNodeVer
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
hdoc-install-browser.jsView file
21(async () => { L22: const fs = require("node:fs"); L23: const path = require("node:path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

hdoc-install-browser.jsView on unpkg · L21
hdoc-edit.jsView file
22const os = require("node:os"); L23: const { execFile } = require("node:child_process"); L24: const hdoc = require(path.join(__dirname, "hdoc-module.js")); L25: L26: const sha1 = (data) => L27: crypto.createHash("sha1").update(Buffer.from(data)).digest("hex"); L28: const { create_content_handler, build_nav_inline } = require( ... L92: const broadcast = (evt) => { L93: const data = `data: ${JSON.stringify(evt)}\n\n`; L94: for (const c of sse_clients) { ... L618: : 4096; L619: const AI_ENDPOINT = "https://api.anthropic.com/v1/messages";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

hdoc-edit.jsView on unpkg · L22
ui/css/theme-default/fonts/inter-roman-greek.woff2View file
path = ui/css/theme-default/fonts/inter-roman-greek.woff2 kind = high_entropy_blob sizeBytes = 21776 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

ui/css/theme-default/fonts/inter-roman-greek.woff2View on unpkg
ui/js/mermaid.min.jsView file
path = ui/js/mermaid.min.js kind = oversized_source_file sizeBytes = 4712175 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

ui/js/mermaid.min.jsView on unpkg

Findings

3 High5 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobui/css/theme-default/fonts/inter-roman-greek.woff2
HighOversized Source Fileui/js/mermaid.min.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirehdoc-install-browser.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak Cryptohdoc-edit.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings