registry  /  plum-e2e  /  2.6.8

plum-e2e@2.6.8

⚠ Under review

A ready-to-use E2E test automation environment built on Playwright + Cucumber. Write tests in Gherkin, run them from the CLI or UI, view reports, schedule jobs, manage your entire test case repository, and get notified on Discord or Slack — all in one pla

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 22 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 171 file(s), 1.10 MB of source, external domains: 127.0.0.1, account.r2.cloudflarestorage.com, crontab.guru, cucumber.io, datatracker.ietf.org, discord.com, example.com, fonts.googleapis.com, fonts.gstatic.com, github.com, hooks.slack.com, host.docker.internal, my.site, node1.example, playwright.dev, plum.yourcompany.com, svelte.dev, www.gnu.org, www.saucedemo.com

Source & flagged code

14 flagged · loading source
frontend/.svelte-kit/adapter-node/entries/pages/settings/_page.svelte.jsView file
481patternName = aws_access_key severity = critical line = 481 matchedText = Leave <s...">`;
Critical
Critical Secret

Package contains a critical-looking secret pattern.

frontend/.svelte-kit/adapter-node/entries/pages/settings/_page.svelte.jsView on unpkg · L481
481patternName = aws_access_key severity = critical line = 481 matchedText = Leave <s...">`;
Critical
Secret Pattern

AWS access key ID in frontend/.svelte-kit/adapter-node/entries/pages/settings/_page.svelte.js

frontend/.svelte-kit/adapter-node/entries/pages/settings/_page.svelte.jsView on unpkg · L481
frontend/build/server/index.jsView file
1951} L1952: function exec(match, params, matchers) { L1953: const result = {};
High
Child Process

Package source references child process execution.

frontend/build/server/index.jsView on unpkg · L1951
956case "BigUint64Array": { L957: /** @type {import("./types.js").TypedArray} */ L958: const typedArray = thing;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

frontend/build/server/index.jsView on unpkg · L956
backend/lib/runnerProcess.jsView file
186) { L187: execSync('npm install', { cwd: BACKEND_DIR, stdio, shell: true }); L188: fs.writeFileSync(markerPath, currentVersion, 'utf8');
High
Shell

Package source references shell execution.

backend/lib/runnerProcess.jsView on unpkg · L186
bin/plum.jsView file
801const manageScript = path.join(plumRoot, 'backend', 'scripts', 'manage-runners.mjs'); L802: const apiUrl = primaryUrl || 'http://localhost:3001'; L803: const menu = spawn(process.execPath, [manageScript], { L804: stdio: 'inherit', L805: env: { ...process.env, PLUM_API_URL: apiUrl } L806: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/plum.jsView on unpkg · L801
94console.log(`📦 Installing plugins: ${packages.join(', ')}\n`); L95: execSync(`npm install ${packages.join(' ')}`, { L96: cwd: path.join(plumRoot, 'backend'),
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/plum.jsView on unpkg · L94
frontend/build/client/_app/immutable/nodes/8.BfUuob4H.jsView file
14* You should have received a copy of the GNU General Public License L15: * along with Plum. If not, see https://www.gnu.org/licenses/. L16: */ L17: L18: import{h as As,a as i,t as _,s as p,e as Me,b as O,c as we,n as tt}from"../chunks/ll-VsEGv.js";import{i as Is}from"../chunks/DGryW1Vp.js";import{p as Ts,m as o,o as js,s as l,c as ... L19: links.</p></div> <div class="card settings-card svelte-9l533f"><p class="card-title">Webhooks</p> <div class="field"><label class="field-label svelte-9l533f" for="discord-url"><spa... ... L22: etc.).</p> <pre class="mcp-snippet svelte-9l533f"> </pre> <div class="card-footer svelte-9l533f"><!></div></div>`),Dl=_(`<div class="content-section svelte-9l533f"><div class="cont... L23: others.</p></div> <div class="card settings-card svelte-9l533f"><p class="card-title">API Key</p> <!></div> <!></div>`),Wl=_('<p class="form-error svelte-9l533f"> </p>'),zl=_('<p c... L24: S3-compatible storage — Cloudflare R2, Backblaze B2, AWS S3, or MinIO.</p></div> <div class="card settings-card svelte-9l533f"><p class="card-title">Manual Backup</p> <div class="b... ... L26: overwritten. Cron jobs are re-scheduled after import.</p> <div class="import-row svelte-
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

frontend/build/client/_app/immutable/nodes/8.BfUuob4H.jsView on unpkg · L14
27patternName = aws_access_key severity = critical line = 27 matchedText = Leave <s...in(`
Critical
Secret Pattern

AWS access key ID in frontend/build/client/_app/immutable/nodes/8.BfUuob4H.js

frontend/build/client/_app/immutable/nodes/8.BfUuob4H.jsView on unpkg · L27
backend/entrypoint.shView file
path = backend/entrypoint.sh kind = build_helper sizeBytes = 767 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

backend/entrypoint.shView on unpkg
frontend/build/client/_app/immutable/nodes/1.Dbck5ct8.js.brView file
path = frontend/build/client/_app/immutable/nodes/1.Dbck5ct8.js.br kind = compressed_blob sizeBytes = 1179 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

frontend/build/client/_app/immutable/nodes/1.Dbck5ct8.js.brView on unpkg
frontend/.svelte-kit/output/server/entries/pages/settings/_page.svelte.jsView file
481patternName = aws_access_key severity = critical line = 481 matchedText = Leave <s...">`;
Critical
Secret Pattern

AWS access key ID in frontend/.svelte-kit/output/server/entries/pages/settings/_page.svelte.js

frontend/.svelte-kit/output/server/entries/pages/settings/_page.svelte.jsView on unpkg · L481
frontend/.svelte-kit/output/client/_app/immutable/nodes/8.BfUuob4H.jsView file
27patternName = aws_access_key severity = critical line = 27 matchedText = Leave <s...in(`
Critical
Secret Pattern

AWS access key ID in frontend/.svelte-kit/output/client/_app/immutable/nodes/8.BfUuob4H.js

frontend/.svelte-kit/output/client/_app/immutable/nodes/8.BfUuob4H.jsView on unpkg · L27
frontend/build/server/chunks/_page.svelte-CperUuP9.jsView file
483patternName = aws_access_key severity = critical line = 483 matchedText = Leave <s...">`;
Critical
Secret Pattern

AWS access key ID in frontend/build/server/chunks/_page.svelte-CperUuP9.js

frontend/build/server/chunks/_page.svelte-CperUuP9.jsView on unpkg · L483

Findings

7 Critical4 High6 Medium5 Low
CriticalCritical Secretfrontend/.svelte-kit/adapter-node/entries/pages/settings/_page.svelte.js
CriticalCredential Exfiltrationfrontend/build/client/_app/immutable/nodes/8.BfUuob4H.js
CriticalSecret Patternfrontend/.svelte-kit/adapter-node/entries/pages/settings/_page.svelte.js
CriticalSecret Patternfrontend/.svelte-kit/output/server/entries/pages/settings/_page.svelte.js
CriticalSecret Patternfrontend/.svelte-kit/output/client/_app/immutable/nodes/8.BfUuob4H.js
CriticalSecret Patternfrontend/build/server/chunks/_page.svelte-CperUuP9.js
CriticalSecret Patternfrontend/build/client/_app/immutable/nodes/8.BfUuob4H.js
HighChild Processfrontend/build/server/index.js
HighShellbackend/lib/runnerProcess.js
HighSame File Env Network Executionbin/plum.js
HighRuntime Package Installbin/plum.js
MediumDynamic Requirefrontend/build/server/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbackend/entrypoint.sh
MediumShips Compressed Blobfrontend/build/client/_app/immutable/nodes/1.Dbck5ct8.js.br
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings