registry  /  rivet-design  /  0.13.1

rivet-design@0.13.1

Local visual web development tool with AI-powered code modification

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 147 file(s), 2.46 MB of source, external domains: 127.0.0.1, cdn.jsdelivr.net, cdn.skypack.dev, cdnjs.cloudflare.com, claude.ai, cli.github.com, cursor.com, demo.rivet.design, esm.sh, getdesign.md, github.com, gsap.com, reactjs.org, releases.rivet.design, rivet-core-production.up.railway.app, rivet-prototype-host.onrender.com, rivet-proxy.onrender.com, rivet.design, rivet.local, unpkg.com, us.posthog.com, vdonwyzxpnsrihtrrvza.supabase.co, www.gstatic.com, www.w3.org, yandex.com

Source & flagged code

4 flagged · loading source
bin/rivet.jsView file
4L5: const fs = require('fs'); L6: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/rivet.jsView on unpkg · L4
dist/cli/commands/open.jsView file
195package = rivet-design; repositoryIdentity = rivet; dependency = open L195: const launch = openBrowser ?? L196: (await Promise.resolve().then(() => __importStar(require('open')))).default; L197: await launch(editorUrl);
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/cli/commands/open.jsView on unpkg · L195
src/ui/dist/favicon.icoView file
path = src/ui/dist/favicon.ico kind = high_entropy_blob sizeBytes = 4820 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/ui/dist/favicon.icoView on unpkg
dist/agent-variants/WorktreeOrchestrator.jsView file
matchType = previous_version_dangerous_delta matchedPackage = rivet-design@0.12.4 matchedIdentity = npm:cml2ZXQtZGVzaWdu:0.12.4 similarity = 0.467 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/agent-variants/WorktreeOrchestrator.jsView on unpkg

Findings

3 High4 Medium7 Low
HighCopied Package Dependency Bridgedist/cli/commands/open.js
HighShips High Entropy Blobsrc/ui/dist/favicon.ico
HighPrevious Version Dangerous Deltadist/agent-variants/WorktreeOrchestrator.js
MediumDynamic Requirebin/rivet.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License