registry  /  periderm-cli  /  0.1.47

periderm-cli@0.1.47

Periderm CLI: The Local-First Security & Performance Code Scanner

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 193 KB of source, external domains: 127.0.0.1, api.groq.com, formspree.io, registry.npmjs.org, www.w3.org, your-domain.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/bin.js register || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/bin.js register || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/scanner/repo-checks.jsView file
349why: "Without code-splitting, a visitor to your landing page also downloads the admin dashboard, the settings screens, and every modal. First paint gets slower with every feature y... L350: fix: "Wrap heavy or rarely-used routes in React.lazy(() => import('./Route')) + <Suspense>, or use your router's built-in lazy() API. Split third-party charts, editors and 3D scene... L351: aiPrompt: `This project has ${routeFiles.length} route files but no dynamic import()/React.lazy usage. Identify the largest / least-visited routes (admin, settings, editors, charts...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/scanner/repo-checks.jsView on unpkg · L349
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = periderm-cli@0.1.44 matchedIdentity = npm:cGVyaWRlcm0tY2xp:0.1.44 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
12import { verifyToken, uploadScan, uploadLighthouseScan, fetchCloudPolicies } from "./api.js"; L13: import http from "node:http"; L14: import { execSync } from "node:child_process"; L15: import ora from "ora"; ... L63: .option("--local-only", "Scan locally without uploading to your Periderm dashboard") L64: .option("--cwd <dir>", "Directory to scan", process.cwd()) L65: .action(async (opts) => { ... L79: } L80: if (process.env.CI && v.plan === "starter") { L81: verifySpinner.fail("Automated CI/CD reporting requires the Scale or Unlimited plan."); ... L151: console.info(""); L152: console.info(chalk.dim(" ✦ " + Buffer.from("SmVzdXMgSXMgTG9yZA==", "base64").toString("utf8") + " ✦"));
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L12

Findings

2 High6 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltadist/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/scanner/repo-checks.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings