registry  /  render-tag  /  0.1.23

render-tag@0.1.23

⚠ Under review

Render HTML rich text onto canvas using pure 2D API

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 5 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcess
Supply chain
HighEntropyStringsMinified
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 304 KB of source

Source & flagged code

2 flagged · loading source
lib/render-tag.umd.jsView file
9contains invisible/control Unicode U+200D (zero width joiner) `,width:0,style:r.style,isSpace:!1,boxStyle:r.boxStyle}),a[t]){let o=n.length;_e(e,a[t],r,n),i(o)}}else{let a=n.length;_e(e,t,r,n),i(a)}}return n}function Q(e){let t=e.codePointAt(0)||0;return t>=19968&&t<=40959||t>=13312&&t<=19903||t>=1228
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

lib/render-tag.umd.jsView on unpkg · L9
Trigger-reachable chain: manifest.exports -> lib/render-tag.umd.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

lib/render-tag.umd.jsView on unpkg

Findings

2 Critical1 Medium2 Low
CriticalTrojan Source Unicodelib/render-tag.umd.js
CriticalTrigger Reachable Dangerous Capabilitylib/render-tag.umd.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings