registry  /  react-doctor-cli-dev  /  1.0.12

react-doctor-cli-dev@1.0.12

React performance analyzer with static analysis, runtime profiling, rule engine, and dashboard upload

Static Scan Results

scanned 13d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 76 file(s), 647 KB of source, external domains: nodejs.org, placehold.co, www.google.com

Source & flagged code

6 flagged · loading source
backend/.envView file
2patternName = blocked_file severity = critical matchedText = backend/.env redactedSecretContext = secretLikeLines = 1 L2: API_KEY=<redacted:35 token-like>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

backend/.envView on unpkg · L2
core/runtime/profiler/browser.tsView file
3import fs from "fs-extra"; L4: import { execSync } from "child_process"; L5:
High
Child Process

Package source references child process execution.

core/runtime/profiler/browser.tsView on unpkg · L3
core/rule-engine/evaluator.tsView file
13// L14: // new Function('metrics', 'lcp', ..., 'return metrics.lcp > 2500') L15: //
Low
Eval

Package source references a known benign dynamic code generation pattern.

core/rule-engine/evaluator.tsView on unpkg · L13
backend/dist/db.jsView file
6exports.screenshotsDir = void 0; L7: const better_sqlite3_1 = __importDefault(require("better-sqlite3")); L8: const path_1 = __importDefault(require("path"));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

backend/dist/db.jsView on unpkg · L6
cli/dist/commands/full.jsView file
270fs_1.default.mkdirSync(backendDataDir, { recursive: true }); L271: (0, child_process_1.spawn)(command, args, { L272: stdio: "inherit", L273: env: { L274: ...process.env, L275: API_KEY: options.apiKey || "react-doctor-secret-key-change-this", ... L285: try { L286: await axios_1.default.get(`${apiUrl}/health`, { timeout: 1000 }); L287: isReady = true;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

cli/dist/commands/full.jsView on unpkg · L270
backend/public/assets/tajawal-latin-700-normal-CV3bxpHe.woffView file
path = backend/public/assets/tajawal-latin-700-normal-CV3bxpHe.woff kind = high_entropy_blob sizeBytes = 13160 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

backend/public/assets/tajawal-latin-700-normal-CV3bxpHe.woffView on unpkg

Findings

1 Critical4 High4 Medium4 Low
CriticalCritical Secretbackend/.env
HighChild Processcore/runtime/profiler/browser.ts
HighShell
HighSame File Env Network Executioncli/dist/commands/full.js
HighShips High Entropy Blobbackend/public/assets/tajawal-latin-700-normal-CV3bxpHe.woff
MediumDynamic Requirebackend/dist/db.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvalcore/rule-engine/evaluator.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings