registry  /  nitro-nightly  /  3.0.1-20260711-223101-ff018c15

nitro-nightly@3.0.1-20260711-223101-ff018c15

Build and Deploy Universal JavaScript Servers

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 141 file(s), 1.67 MB of source, external domains: blogs.msdn.com, cdn.jsdelivr.net, cdnjs.cloudflare.com, foo.com, github.com, rollupjs.org

Source & flagged code

10 flagged · loading source
dist/_presets.mjsView file
721"node:buffer", L722: "node:child_process", L723: "node:cluster",
High
Child Process

Package source references child process execution.

dist/_presets.mjsView on unpkg · L721
162Cross-file remote execution chain: dist/_presets.mjs spawns dist/_build/common.mjs; helper contains network access plus dynamic code execution. L162: entry: "./aws-amplify/runtime/aws-amplify", L163: manifest: { deploymentId: process.env.AWS_JOB_ID }, L164: serveStatic: true, ... L185: function prettyPath(p, highlight = true) { L186: p = relative$1(process.cwd(), p); L187: return highlight ? colors.cyan(p) : p; ... L198: try { L199: const currentNodeVersion = JSON.parse(await fsp.readFile(join$1(nitro.options.rootDir, "package.json"), "utf8")).engines.node; L200: if (supportedNodeVersions.has(currentNodeVersion)) nodeVersion = currentNodeVersion; ... L326: "node:diagnostics_channel", L327: "node:dns", L328: "node:dns/promises",
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/_presets.mjsView on unpkg · L162
dist/_libs/nypm+tinyexec.mjsView file
126]; L127: e = n.env?.comspec ?? "cmd.exe"; L128: n = {
High
Shell

Package source references shell execution.

dist/_libs/nypm+tinyexec.mjsView on unpkg · L126
dist/_libs/pluginutils.mjsView file
112function evalValue(rawValue) { L113: return new Function(` L114: var console, exports, global, module, process, require
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/_libs/pluginutils.mjsView on unpkg · L112
dist/_dev.mjsView file
141setTimeout(() => { L142: require(['vs/editor/editor.main'], function () { L143: monaco.editor.create(document.getElementById('editor'), ${JSON.stringify(options)})
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/_dev.mjsView on unpkg · L141
dist/_build/common.mjsView file
75function cwd$1() { L76: if (typeof process !== "undefined" && typeof process.cwd === "function") return process.cwd().replace(/\\/g, "/"); L77: return "/"; ... L210: "buffer", L211: "child_process", L212: "cluster", ... L461: assert.ok(isImport === false); L462: return `Invalid "exports" main target ${JSON.stringify(target)} defined in the package config ${packagePath}package.json${base ? ` imported from ${base}` : ""}${relatedError ? "; t... L463: } ... L513: try { L514: parsed = JSON.parse(string); L515: } catch (error_) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/_build/common.mjsView on unpkg · L75
dist/THIRD-PARTY-LICENSES.md.gzView file
path = dist/THIRD-PARTY-LICENSES.md.gz kind = high_entropy_blob sizeBytes = 6635 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/THIRD-PARTY-LICENSES.md.gzView on unpkg
path = dist/THIRD-PARTY-LICENSES.md.gz kind = compressed_blob sizeBytes = 6635 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/THIRD-PARTY-LICENSES.md.gzView on unpkg
dist/docs/0.docs/3.routing.mdView file
469patternName = generic_password severity = medium line = 469 matchedText = '/admin/...} },
Medium
Secret Pattern

Hardcoded password in dist/docs/0.docs/3.routing.md

dist/docs/0.docs/3.routing.mdView on unpkg · L469
614patternName = generic_password severity = medium line = 614 matchedText = password...et',
Medium
Secret Pattern

Hardcoded password in dist/docs/0.docs/3.routing.md

dist/docs/0.docs/3.routing.mdView on unpkg · L614

Findings

4 High7 Medium6 Low
HighChild Processdist/_presets.mjs
HighShelldist/_libs/nypm+tinyexec.mjs
HighCross File Remote Execution Contextdist/_presets.mjs
HighShips High Entropy Blobdist/THIRD-PARTY-LICENSES.md.gz
MediumDynamic Requiredist/_dev.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobdist/THIRD-PARTY-LICENSES.md.gz
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/docs/0.docs/3.routing.md
MediumSecret Patterndist/docs/0.docs/3.routing.md
LowScripts Present
LowEvaldist/_libs/pluginutils.mjs
LowWeak Cryptodist/_build/common.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings