registry  /  novu  /  2.19.1

novu@2.19.1

Novu CLI. Run Novu Studio and sync workflows with Novu Cloud

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 309 file(s), 1.54 MB of source, external domains: 127.0.0.1, 127.attacker.com, 46elks.com, acme.org, adisinsight-mcp.springer.com, adobe-creativity.adobe.io, aep-ai-ama.adobe.io, afromessage.com, agent.thoughtspot.app, agents.riskanalytics.dnb.com, ai-inc.mailchimp.com, ai-inc.turbotax.intuit.com, ai-sdk.dev, ai.chronograph.pe, ai.thirdbridge.com, ai.todoist.net, ajo-mcp.adobe.io, anthropic.mcp.creditkarma.com, api-ssl.bitly.com, api.ahrefs.com, api.analytics.lseg.com, api.brex.com, api.clarify.ai, api.clay.com, api.contentsquare.com, api.dashboard.plaid.com, api.descript.com, api.devrev.ai, api.digits.com, api.everlaw.com, api.example.com, api.fathom.ai, api.fireflies.ai, api.fiscal.ai, api.github.com, api.githubcopilot.com, api.grain.com, api.harvey.ai, api.ibkr.com, api.io.italia.it, api.jentic.com, api.meetcampfire.com, api.moodys.com, api.motherduck.com, api.novu-staging.co, api.novu.co, api.novu.localhost, api.novu.test, api.outreach.io, api.peec.ai

Source & flagged code

8 flagged · loading source
dist/src/commands/connect/ui/index.mjsView file
3787patternName = private_key_rsa severity = critical line = 3787 matchedText = if (!val...)) {
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/src/commands/connect/ui/index.mjsView on unpkg · L3787
3787patternName = private_key_rsa severity = critical line = 3787 matchedText = if (!val...)) {
Critical
Secret Pattern

RSA private key in dist/src/commands/connect/ui/index.mjs

dist/src/commands/connect/ui/index.mjsView on unpkg · L3787
dist/src/commands/init/helpers/is-online.jsView file
6exports.getOnline = getOnline; L7: const child_process_1 = require("child_process"); L8: const promises_1 = __importDefault(require("dns/promises"));
High
Child Process

Package source references child process execution.

dist/src/commands/init/helpers/is-online.jsView on unpkg · L6
dist/src/commands/wizard/index.jsView file
16const analytics = new analytics_service_1.AnalyticService(); L17: const dynamicImport = new Function('specifier', 'return import(specifier)'); L18: async function loadInkUi() {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/commands/wizard/index.jsView on unpkg · L16
dist/src/constants/constants.jsView file
7exports.SEGMENTS_WRITE_KEY = exports.ANALYTICS_ENABLED = exports.NOVU_SECRET_KEY = exports.NOVU_API_URL = exports.SERVER_HOST = void 0; L8: const dotenv_1 = __importDefault(require("dotenv")); L9: dotenv_1.default.config({ path: '.env.local' });
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/constants/constants.jsView on unpkg · L7
dist/src/commands/dev/dev.jsView file
7exports.devCommand = devCommand; L8: const node_child_process_1 = require("node:child_process"); L9: const ntfr_client_1 = require("@novu/ntfr-client"); ... L13: const ws_1 = __importDefault(require("ws")); L14: const package_json_1 = __importDefault(require("../../../package.json")); L15: const constants_1 = require("../../constants"); ... L24: try { L25: if (process.platform === 'win32') { L26: (0, node_child_process_1.execSync)(`taskkill /pid ${child.pid} /T /F`, { stdio: 'ignore' }); ... L56: const TUNNEL_INITIAL_CONNECT_DEADLINE_MS = 60000; L57: exports.TUNNEL_URL = 'https://novu.sh/api/tunnels'; L58: const { version } = package_json_1.default;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/src/commands/dev/dev.jsView on unpkg · L7
dist/src/commands/step/utils/package-manager.jsView file
69case 'pnpm': L70: return `pnpm add --save-dev ${packageName}`; L71: case 'yarn': ... L81: const cmd = getInstallCommand(pm, packageName); L82: (0, child_process_1.execSync)(cmd, { cwd: rootDir, stdio: 'pipe' }); L83: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/commands/step/utils/package-manager.jsView on unpkg · L69
dist/src/commands/init/templates/app-react-email/ts/app/fonts/GeistMonoVF.woffView file
path = [redacted]-react-email/ts/app/fonts/GeistMonoVF.woff kind = high_entropy_blob sizeBytes = 67864 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/src/commands/init/templates/app-react-email/ts/app/fonts/GeistMonoVF.woffView on unpkg

Findings

2 Critical5 High4 Medium6 Low
CriticalCritical Secretdist/src/commands/connect/ui/index.mjs
CriticalSecret Patterndist/src/commands/connect/ui/index.mjs
HighChild Processdist/src/commands/init/helpers/is-online.js
HighShell
HighSandbox Evasion Gated Capabilitydist/src/commands/dev/dev.js
HighRuntime Package Installdist/src/commands/step/utils/package-manager.js
HighShips High Entropy Blobdist/src/commands/init/templates/app-react-email/ts/app/fonts/GeistMonoVF.woff
MediumDynamic Requiredist/src/constants/constants.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/src/commands/wizard/index.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings