registry  /  jsgotty  /  1.1.3

jsgotty@1.1.3

⚠ Under review

Share your terminal as a web application: A JavaScript rewrite of GoTTY

Static Scan Results

scanned 8h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 60 file(s), 2.02 MB of source, external domains: bugs.webkit.org, developer.mozilla.org, getbootstrap.com, github.com, html.spec.whatwg.org, rtlcss.com, rtlstyling.com, stackoverflow.com, www.w3.org

Source & flagged code

8 flagged · loading source
patches/windowsPtyAgent.jsView file
11var path = require("path"); L12: var child_process_1 = require("child_process"); L13: var net_1 = require("net");
High
Child Process

Package source references child process execution.

patches/windowsPtyAgent.jsView on unpkg · L11
2L3: const fs = require("fs"); L4: const path = require("path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

sz.jsView on unpkg · L2
zmodem-node.jsView file
3const os = require("os"); L4: const { spawnSync } = require("child_process"); L5: const vm = require("vm"); ... L29: assetsHelper?.readInternalAssetText?.(bundleAssetPath) ?? L30: fs.readFileSync(path.join(compiledHelper?.REPO_ROOT ?? __dirname, "static", "js", "zmodem.js"), "utf8"); L31: const bundlePath = path.join(compiledHelper?.REPO_ROOT ?? __dirname, "static", "js", "zmodem.js"); ... L35: warn() {}, L36: error: (...args) => process.stderr.write(`${args.join(" ")}\n`), L37: }; ... L48: Promise, L49: TextDecoder, L50: TextEncoder,
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

zmodem-node.jsView on unpkg · L3
lib/node-pty/scripts/gen-compile-commands.jsView file
7console.log(`\x1b[32m> Generating compile_commands.json...\x1b[0m`); L8: execSync('npx --offline node-gyp configure -- -f compile_commands_json');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/node-pty/scripts/gen-compile-commands.jsView on unpkg · L7
lib/node-pty/third_party/conpty/1.23.251008001/win10-arm64/conpty.dllView file
path = lib/node-pty/third_party/conpty/1.23.251008001/win10-arm64/conpty.dll kind = native_binary sizeBytes = 106528 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

lib/node-pty/third_party/conpty/1.23.251008001/win10-arm64/conpty.dllView on unpkg
single-exe/packAssets.shView file
path = single-exe/packAssets.sh kind = build_helper sizeBytes = 105 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

single-exe/packAssets.shView on unpkg
lib/node-pty/deps/winpty/src/tests/subdir.mkView file
path = lib/node-[redacted].mk kind = payload_in_excluded_dir sizeBytes = 1304 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

lib/node-pty/deps/winpty/src/tests/subdir.mkView on unpkg
gotty.jsView file
matchType = previous_version_dangerous_delta matchedPackage = jsgotty@1.1.1 matchedIdentity = npm:anNnb3R0eQ:1.1.1 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

gotty.jsView on unpkg

Findings

1 Critical4 High7 Medium4 Low
CriticalPrevious Version Dangerous Deltagotty.js
HighChild Processpatches/windowsPtyAgent.js
HighShell
HighRuntime Package Installlib/node-pty/scripts/gen-compile-commands.js
HighPayload In Excluded Dirlib/node-pty/deps/winpty/src/tests/subdir.mk
MediumDynamic Requiresz.js
MediumUnsafe Vm Contextzmodem-node.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarylib/node-pty/third_party/conpty/1.23.251008001/win10-arm64/conpty.dll
MediumShips Build Helpersingle-exe/packAssets.sh
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License