registry  /  neondiff  /  1.0.0

neondiff@1.0.0

Local-first AI PR reviewer for teams that want current-head reviews without handing every diff to a hosted review SaaS.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 72 file(s), 1.49 MB of source, external domains: api.github.com, example.invalid, github.com, neondiff-license.fly.dev, neondiff.local

Source & flagged code

4 flagged · loading source
dist/src/providers.jsView file
782patternName = generic_password severity = medium line = 782 matchedText = url.pass...t]";
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/src/providers.jsView on unpkg · L782
dist/src/cli.jsView file
1#!/usr/bin/env node L2: import { spawnSync } from "node:child_process"; L3: import { fileURLToPath } from "node:url"; ... L44: import { parsePositiveInteger } from "./cli-args.js"; L45: const LAUNCHCTL_TIMEOUT_MS = 15_000; L46: const PLUTIL_TIMEOUT_MS = 5_000; ... L65: if (!result.ok) L66: process.exitCode = 1; L67: return; ... L98: if (command === "checkout-issuance-smoke") { L99: const url = parseSingleArg(args.url ?? "https://neondiff-license.fly.dev/v1/admin/licenses/issue", "--url"); L100: const releaseVersion = parseSingleArg(args["release-version"] ?? "v1.0.0", "--release-version");
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/src/cli.jsView on unpkg · L1
dist/src/config.jsView file
1import { existsSync, readFileSync } from "node:fs"; L2: import { isIP } from "node:net"; L3: import { dirname, join } from "node:path"; ... L140: publicReposFree: true, L141: privateReposRequireEntitlement: true, L142: [redacted]: true ... L273: export function loadConfig(configPath) { L274: const fromFile = configPath && existsSync(configPath) ? JSON.parse(readFileSync(configPath, "utf8")) : {}; L275: return loadConfigFromObject(fromFile); ... L284: merged.github.privateKeyPath = resolveEnvAlias({ L285: primaryName: "NEONDIFF_GITHUB_APP_PRIVATE_KEY_PATH", L286: legacyName: "EVAOS_REVIEW_BOT_PRIVATE_KEY_PATH",
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/src/config.jsView on unpkg · L1
dist/src/local-dashboard.jsView file
matchType = previous_version_dangerous_delta matchedPackage = neondiff@0.4.30-beta.1 matchedIdentity = npm:bmVvbmRpZmY:0.4.30-beta.1 similarity = 0.536 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/local-dashboard.jsView on unpkg

Findings

2 High5 Medium5 Low
HighCloud Metadata Accessdist/src/config.js
HighPrevious Version Dangerous Deltadist/src/local-dashboard.js
MediumSecret Patterndist/src/providers.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/src/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License