registry  /  medplum  /  5.1.23

medplum@5.1.23

Medplum Command Line Interface

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 226 KB of source, external domains: api.github.com, api.medplum.com, app.medplum.com, hl7.org, registry.npmjs.org, www.medplum.com

Source & flagged code

4 flagged · loading source
dist/esm/index.mjsView file
1#!/usr/bin/env node L2: import{MEDPLUM_VERSION as ro,normalizeErrorString as nt}from"@medplum/core";import{CommanderError as nr,Option as so}from"commander";import oo from"dotenv";import{ContentType as cr... L3: ${h.length} successful response(s):
High
Child Process

Package source references child process execution.

dist/esm/index.mjsView on unpkg · L1
1#!/usr/bin/env node L2: import{MEDPLUM_VERSION as ro,normalizeErrorString as nt}from"@medplum/core";import{CommanderError as nr,Option as so}from"commander";import oo from"dotenv";import{ContentType as cr... L3: ${h.length} successful response(s):
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/esm/index.mjsView on unpkg · L1
1#!/usr/bin/env node L2: import{MEDPLUM_VERSION as ro,normalizeErrorString as nt}from"@medplum/core";import{CommanderError as nr,Option as so}from"commander";import oo from"dotenv";import{ContentType as cr... L3: ${h.length} successful response(s): L4: `),i?h.length?i(h):console.info("No successful responses received"):console.table(h.length?h:"No successful responses received"),console.info(),f.length&&(console.info(`${f.length}... L5: `)}function F(e){p(`
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/esm/index.mjsView on unpkg · L1
dist/cjs/index.cjsView file
6`+e+` L7: `)}function V(e,t=""){return new Promise(r=>{lt.question(e+(t?" ("+t+")":"")+" ",s=>{r(s||t.toString())})})}async function Jt(e,t,r=""){let s=e+" ["+t.map(o=>o===r?"("+o+")":o).joi... L8:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cjs/index.cjsView on unpkg · L6

Findings

4 High3 Medium4 Low
HighChild Processdist/esm/index.mjs
HighSame File Env Network Executiondist/esm/index.mjs
HighCommand Output Exfiltrationdist/esm/index.mjs
HighRuntime Package Installdist/cjs/index.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings