registry  /  meno-studio  /  0.1.4

meno-studio@0.1.4

⚠ Under review

Meno Studio — the visual editor, served locally against your project folder.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 12 file(s), 3.02 MB of source, external domains: 127.0.0.1, api.example.com, api.resend.com, api.webflow.com, cdn.jsdelivr.net, cdn.sanity.io, cdnjs.cloudflare.com, example.com, fonts.google.com, fonts.googleapis.com, github.com, meno.so, opencollective.com, reactjs.org, sharp.pixelplumbing.com, unpkg.com, webflow-ext.com, www.google.com, www.w3.org
Oversized source lightweight scan
studio-assets/entries/editor.js2.70 MB file, sampled 256 KB
NetworkHighEntropyStringsMinifiedUrlStringsreactjs.orgwww.w3.org

Source & flagged code

11 flagged · loading source
studio-server.mjsView file
2import { createRequire } from 'module'; const require = createRequire(import.meta.url); L3: var oie=Object.create;var b2=Object.defineProperty;var iie=Object.getOwnPropertyDescriptor;var aie=Object.getOwnPropertyNames;var uie=Object.getPrototypeOf,cie=Object.prototype.has... L4: `):String(s)})}}catch(n){let r=n;if(t.throw)throw n;let s=[];if(r.logs&&Array.isArray(r.logs))for(let o of r.logs){let i=[];o.position?.line&&i.push(`Line ${o.position.line}:${o.po... ... L15: L16: `)||"Unknown JavaScript error"}}var _2,uL=y(()=>{"use strict";_2=typeof globalThis.Bun<"u"});var Ji=X((XMe,fL)=>{"use strict";var cL=["nodebuffer","arraybuffer","fragments"],lL=typ... L17: `).join(`\r
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

studio-server.mjsView on unpkg · L2
2import { createRequire } from 'module'; const require = createRequire(import.meta.url); L3: var oie=Object.create;var b2=Object.defineProperty;var iie=Object.getOwnPropertyDescriptor;var aie=Object.getOwnPropertyNames;var uie=Object.getPrototypeOf,cie=Object.prototype.has... L4: `):String(s)})}}catch(n){let r=n;if(t.throw)throw n;let s=[];if(r.logs&&Array.isArray(r.logs))for(let o of r.logs){let i=[];o.position?.line&&i.push(`Line ${o.position.line}:${o.po... ... L15: L16: `)||"Unknown JavaScript error"}}var _2,uL=y(()=>{"use strict";_2=typeof globalThis.Bun<"u"});var Ji=X((XMe,fL)=>{"use strict";var cL=["nodebuffer","arraybuffer","fragments"],lL=typ... L17: `).join(`\r
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

studio-server.mjsView on unpkg · L2
2import { createRequire } from 'module'; const require = createRequire(import.meta.url); L3: var oie=Object.create;var b2=Object.defineProperty;var iie=Object.getOwnPropertyDescriptor;var aie=Object.getOwnPropertyNames;var uie=Object.getPrototypeOf,cie=Object.prototype.has... L4: `):String(s)})}}catch(n){let r=n;if(t.throw)throw n;let s=[];if(r.logs&&Array.isArray(r.logs))for(let o of r.logs){let i=[];o.position?.line&&i.push(`Line ${o.position.line}:${o.po... ... L15: L16: `)||"Unknown JavaScript error"}}var _2,uL=y(()=>{"use strict";_2=typeof globalThis.Bun<"u"});var Ji=X((XMe,fL)=>{"use strict";var cL=["nodebuffer","arraybuffer","fragments"],lL=typ... L17: `).join(`\r ... L21: \r L22: `+n)}function $c(e,t,n,r,s,o){if(e.listenerCount("wsClientError")){let i=new Error(s);Error.captureStackTrace(i,$c),e.emit("wsClientError",i,n,t)}else dg(n,r,s,o)}});var wF={};ps(w... L23: font-family: '${s}'; ... L530: var errorText = ${p}; L531: navigator.clipboard.writeText(errorText).then(function() { L532: var span = copyBtn.querySelector('span');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

studio-server.mjsView on unpkg · L2
1507patternName = generic_password severity = medium line = 1507 matchedText = )`,enabl...sh(`
Medium
Secret Pattern

Package contains a possible secret pattern.

studio-server.mjsView on unpkg · L1507
2import { createRequire } from 'module'; const require = createRequire(import.meta.url); L3: var oie=Object.create;var b2=Object.defineProperty;var iie=Object.getOwnPropertyDescriptor;var aie=Object.getOwnPropertyNames;var uie=Object.getPrototypeOf,cie=Object.prototype.has... L4: `):String(s)})}}catch(n){let r=n;if(t.throw)throw n;let s=[];if(r.logs&&Array.isArray(r.logs))for(let o of r.logs){let i=[];o.position?.line&&i.push(`Line ${o.position.line}:${o.po... ... L15: L16: `)||"Unknown JavaScript error"}}var _2,uL=y(()=>{"use strict";_2=typeof globalThis.Bun<"u"});var Ji=X((XMe,fL)=>{"use strict";var cL=["nodebuffer","arraybuffer","fragments"],lL=typ... L17: `).join(`\r ... L21: \r L22: `+n)}function $c(e,t,n,r,s,o){if(e.listenerCount("wsClientError")){let i=new Error(s);Error.captureStackTrace(i,$c),e.emit("wsClientError",i,n,t)}else dg(n,r,s,o)}});var wF={};ps(w... L23: font-family: '${s}'; ... L530: var errorText = ${p}; L531: navigator.clipboard.writeText(errorText).then(function() { L532: var span = copyBtn.querySelector('span');
Low
Weak Crypto

Package source references weak cryptographic algorithms.

studio-server.mjsView on unpkg · L2
bin/launch.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = meno-studio@0.1.1 matchedIdentity = npm:bWVuby1zdHVkaW8:0.1.1 similarity = 0.778 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/launch.mjsView on unpkg
10*/ L11: import { spawn } from 'node:child_process'; L12: import { basename, dirname, join } from 'node:path';
High
Child Process

Package source references child process execution.

bin/launch.mjsView on unpkg · L10
4Cross-file remote execution chain: bin/launch.mjs spawns studio-server.mjs; helper contains network access plus dynamic code execution. L4: * directory (your Meno project). No Electron; the host IDE owns files + git. L5: * npx meno-studio dev # editor at http://localhost:<PORT> L6: * npx meno-studio build # production astro build ... L10: */ L11: import { spawn } from 'node:child_process'; L12: import { basename, dirname, join } from 'node:path'; ... L18: L19: const sep = process.platform === 'win32' ? ';' : ':'; L20: const env = { L21: ...process.env, L22: MENO_STUDIO_ROOT: join(pkgRoot, 'studio-assets'), ... L36: const child = spawn(process.execPath, [join(pkgRoot, 'studio-server.mjs'), ...args], {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/launch.mjsView on unpkg · L4
studio-assets/entries/client-editor-router.jsView file
48} L49: })();`;try{new Function(r)()}catch(o){console.error(`[Meno] Syntax error in ${n}:`,o)}}executeInstanceJS(t,n,r){try{let o=this.elementRegistry.getComponentProps(r);if(!o)return;let... L50: // Component: ${t} (defineVars)
Low
Eval

Package source references a known benign dynamic code generation pattern.

studio-assets/entries/client-editor-router.jsView on unpkg · L48
studio-assets/templates/fonts/InterVariable.woff2View file
path = studio-[redacted].woff2 kind = high_entropy_blob sizeBytes = 352240 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

studio-assets/templates/fonts/InterVariable.woff2View on unpkg
studio-assets/entries/editor.jsView file
path = studio-assets/entries/editor.js kind = oversized_source_file sizeBytes = 2831727 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

studio-assets/entries/editor.jsView on unpkg

Findings

1 Critical8 High4 Medium8 Low
CriticalPrevious Version Dangerous Deltabin/launch.mjs
HighChild Processbin/launch.mjs
HighShell
HighSame File Env Network Executionstudio-server.mjs
HighCommand Output Exfiltrationstudio-server.mjs
HighSandbox Evasion Gated Capabilitystudio-server.mjs
HighCross File Remote Execution Contextbin/launch.mjs
HighShips High Entropy Blobstudio-assets/templates/fonts/InterVariable.woff2
HighOversized Source Filestudio-assets/entries/editor.js
MediumSecret Patternstudio-server.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvalstudio-assets/entries/client-editor-router.js
LowWeak Cryptostudio-server.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License