registry  /  pierre-review  /  0.1.48

pierre-review@0.1.48

Dashboard for tracking your team's GitHub PR activity across repos — local (SQLite + gh) or self-hosted multi-tenant cloud (Postgres + GitHub App).

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 71 file(s), 2.38 MB of source, external domains: almende.com, api.github.com, cli.github.com, github.com, opensource.org, reactjs.org, visjs.github.io, www.apache.org, www.ibm.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/pro/bind.jsView file
35} L36: const mod = await import(pathToFileURL(entry).href).catch((err) => { L37: app.log.warn({ err }, 'pro plugin present but failed to load — OSS mode');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/pro/bind.jsView on unpkg · L35
dist/cli.jsView file
1#!/usr/bin/env node L2: import { execFile, execFileSync } from 'node:child_process'; L3: import { mkdirSync } from 'node:fs'; ... L6: // ── tiny ANSI helpers (degrade gracefully when not a TTY) ────────────────── L7: const useColor = process.stdout.isTTY && process.env.NO_COLOR === undefined; L8: const paint = (code, s) => useColor ? `[${code}m${s}` : s; ... L80: Prerequisite (local mode): L81: Requires the GitHub CLI (https://cli.github.com), authenticated via L82: \`gh auth login\`. The dashboard reads your activity using your gh token. ... L90: function openBrowser(url) { L91: const platform = process.platform; L92: const cmd = platform === 'darwin' ? 'open' : platform === 'win32' ? 'cmd' : 'xdg-open';
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L1
dist/coding/merge.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pierre-review@0.1.47 matchedIdentity = npm:cGllcnJlLXJldmlldw:0.1.47 similarity = 0.891 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/coding/merge.jsView on unpkg

Findings

2 High4 Medium3 Low
HighSandbox Evasion Gated Capabilitydist/cli.js
HighPrevious Version Dangerous Deltadist/coding/merge.js
MediumDynamic Requiredist/pro/bind.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings