registry  /  ripplo  /  0.7.45

ripplo@0.7.45

⚠ Under review

CLI for Ripplo — AI-powered end-to-end testing

Static Scan Results

scanned 10d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 16 file(s), 1.65 MB of source, external domains: 127.0.0.1, evilmartians.com, json-schema.org, ripplo.ai, ripplo.invalid, www.w3.org, www.w3ctech.com

Source & flagged code

5 flagged · loading source
dist/chunk-44FQQWRS.jsView file
95} L96: `);import{CancellationTokenSource as Nt}from"vscode-jsonrpc/node";function ce(e){return`${e.workflowSlug}/${e.testSlug}`}function kn(e){let{headed:n,inflight:t,jobId:r,lockfileHash... L97: mutation AutoScopeAddDirty($projectId: String!, $cwd: String!, $workflowSlugs: [String!]!) {
High
Child Process

Package source references child process execution.

dist/chunk-44FQQWRS.jsView on unpkg · L95
dist/chunk-PYDAUHSS.jsView file
3`};return{diagnostics:l.[redacted](a,L).split(` L4: `).filter(u=>u.length>0),ok:!1}}function N(t,r){let n=t.file?.fileName;return n==null?!0:n.startsWith(r)}var D=p.join(".local","tsbuildinfo");function U(t){return{allowImportingTsE... L5: `)}function Xe(){return`${y} is up to date`}function Be(t){return[`${y} is ${t==="missing"?"missing":"out of date"} \u2014 run \`npx ripplo compile\` and commit the result`,h("setu...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-PYDAUHSS.jsView on unpkg · L3
dist/daemon-GSRF2HY6.jsView file
33`);function Ke({cwd:e,devSessionId:r,onSubscriptionDead:o,sseClient:n}){let t=new Set,i=n.subscribe({query:Yr(Xr),variables:{devSessionId:r}},{complete:()=>{},error:l=>{let s=l ins... L34: `);let s=await je({cwd:e,onReady:()=>{t("opened")},signal:n,step:o.stepIndex+1,target:i});s.kind==="done"&&s.result.kind==="handed-over"||(a.warn({kind:s.kind,runId:o.runId},"telep... L35: mutation ProvisionDevTunnel($devSessionId: String!, $localUrl: String!, $engineUrl: String) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/daemon-GSRF2HY6.jsView on unpkg · L33
dist/index.jsView file
93} L94: `),$a="Failed to connect to Ripplo server";async function tn({serverUrl:e,token:t}){try{let r=await c({config:_({serverUrl:e,token:t}),document:Ca,variables:void 0});return r.curre... L95: `);let n=r.map(i=>Xr(i));process.stdout.write(n.join(` ... L105: `)}async function dn(e,t){let r=g(e).unwrapOr(void 0);r!=null&&await c({config:r,document:Ba,variables:{paused:t,projectId:r.projectId}}).catch(n=>{process.stderr.write(`Warning: c... L106: `)})}import re from"fs";import ne from"path";import{input as hn,select as yn}from"@inquirer/prompts";import{graphql as wl}from"gql.tada";import{exec as Va,execFile as Ga}from"child... L107: `)[0]??r.message:String(r);return X.warn("Install failed (%s): %s",t,n),{cmd:t,ok:!1,reason:n}}}async function tl(e){try{await D(e);return}catch(t){return`Couldn't compile initial ...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L93
dist/chunk-KMNYXOL5.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ripplo@0.7.42 matchedIdentity = npm:cmlwcGxv:0.7.42 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-KMNYXOL5.jsView on unpkg

Findings

1 Critical4 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/chunk-KMNYXOL5.js
HighChild Processdist/chunk-44FQQWRS.js
HighSame File Env Network Executiondist/daemon-GSRF2HY6.js
HighCommand Output Exfiltrationdist/index.js
HighObfuscated
MediumDynamic Requiredist/chunk-PYDAUHSS.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License