registry  /  openstylus  /  0.7.0

openstylus@0.7.0

Brand-neutral, code-on-disk canvas for iterating on rendered React/CSS assets. One local node-24 process hosts a Streamable-HTTP canvas-loop MCP + a first-party SSE channel + the web UI over one node:sqlite sidecar; the engine is config-parameterized and

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
CopyleftLicense
scanned 116 file(s), 2.32 MB of source, external domains: github.com, html.spec.whatwg.org, pro.reactflow.dev, react.dev, reactflow.dev, storybook.js.org, testing-library.com, testing-playground.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/web/assets/realm-Bp0dxzok.jsView file
264patternName = generic_password severity = medium line = 264 matchedText = `+t),t},...r"?`
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/web/assets/realm-Bp0dxzok.jsView on unpkg · L264
dist/ds/manifest.jsView file
291// Bust the ESM module cache with the file's mtime so an EDITED module manifest is re-read live — L292: // "re-derivation is registration" must hold for both formats (a plain `import(absPath)` freezes L293: // the first read for the life of the process). An unchanged file re-uses its cached module, so
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/ds/manifest.jsView on unpkg · L291
dist/ds/lint.jsView file
matchType = previous_version_dangerous_delta matchedPackage = openstylus@0.3.0 matchedIdentity = npm:b3BlbnN0eWx1cw:0.3.0 similarity = 0.657 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/ds/lint.jsView on unpkg

Findings

1 High6 Medium7 Low
HighPrevious Version Dangerous Deltadist/ds/lint.js
MediumSecret Patterndist/web/assets/realm-Bp0dxzok.js
MediumDynamic Requiredist/ds/manifest.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License