registry  /  node-gtk  /  4.1.1

node-gtk@4.1.1

GNOME Gtk+ bindings for NodeJS

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNativeBindings
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 41 file(s), 211 KB of source, external domains: github.com, gitlab.gnome.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.install = npx node-pre-gyp install --fallback-to-build
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.install = npx node-pre-gyp install --fallback-to-build
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
tools/list-libraries.jsView file
5* Driven by the CLI: `node-gtk list [filter] [options]`. The names/versions it L6: * prints are exactly what you pass to `require()` / the `gi:` import scheme / L7: * `generate-types` (e.g. `Gtk-4.0`).
Medium
Dynamic Require

Package source references dynamic require/import behavior.

tools/list-libraries.jsView on unpkg · L5
binding.gypView file
path = binding.gyp kind = build_helper sizeBytes = 5753 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

binding.gypView on unpkg

Findings

1 High5 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiretools/list-libraries.js
MediumEnvironment Vars
MediumShips Build Helperbinding.gyp
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings