registry  /  openxiangda  /  1.0.136

openxiangda@1.0.136

⚠ Under review

OpenXiangda CLI, workspace build tools, runtime SDK, and form components.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 180 file(s), 4.84 MB of source, external domains: bucket.oss-cn-hangzhou.aliyuncs.com, cdn.example.com, example.com, gateway.example.com, platform.example.com, registry.npmjs.org, www.w3.org, yida.wisejob.cn

Source & flagged code

4 flagged · loading source
packages/sdk/src/build-source/scripts/utils/incremental.test.tsView file
3import path from "node:path"; L4: import { spawnSync } from "node:child_process"; L5:
High
Child Process

Package source references child process execution.

packages/sdk/src/build-source/scripts/utils/incremental.test.tsView on unpkg · L3
bin/openxiangda.jsView file
2L3: const { main } = require('../lib/cli'); L4: const { maskText } = require('../lib/utils');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/openxiangda.jsView on unpkg · L2
lib/workspace-init.jsView file
160function runInstall(targetDir) { L161: const result = spawnSync('pnpm', ['install'], { L162: cwd: targetDir, ... L166: if (result.status !== 0) { L167: throw new Error('pnpm install 执行失败'); L168: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/workspace-init.jsView on unpkg · L160
lib/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = openxiangda@1.0.132 matchedIdentity = npm:b3BlbnhpYW5nZGE:1.0.132 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/cli.jsView on unpkg

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltalib/cli.js
HighChild Processpackages/sdk/src/build-source/scripts/utils/incremental.test.ts
HighShell
HighRuntime Package Installlib/workspace-init.js
MediumDynamic Requirebin/openxiangda.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings