registry  /  rivet-design  /  0.13.5

rivet-design@0.13.5

Local visual web development tool with AI-powered code modification

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 153 file(s), 2.95 MB of source, external domains: 127.0.0.1, cdn.jsdelivr.net, cdn.skypack.dev, cdnjs.cloudflare.com, claude.ai, cli.github.com, cursor.com, demo.rivet.design, esm.sh, getdesign.md, github.com, gsap.com, reactjs.org, releases.rivet.design, rivet-core-production.up.railway.app, rivet-prototype-host.onrender.com, rivet-proxy.onrender.com, rivet.design, rivet.local, unpkg.com, us.posthog.com, vdonwyzxpnsrihtrrvza.supabase.co, www.gstatic.com, www.w3.org, yandex.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.preinstall = node scripts/verify-node-version.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
bin/rivet.jsView file
4L5: const fs = require('fs'); L6: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/rivet.jsView on unpkg · L4
dist/cli/commands/open.jsView file
195package = rivet-design; repositoryIdentity = rivet; dependency = open L195: const launch = openBrowser ?? L196: (await Promise.resolve().then(() => __importStar(require('open')))).default; L197: await launch(editorUrl);
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/cli/commands/open.jsView on unpkg · L195
src/ui/dist/favicon.icoView file
path = src/ui/dist/favicon.ico kind = high_entropy_blob sizeBytes = 4820 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/ui/dist/favicon.icoView on unpkg
dist/services/WorktreeManager.jsView file
matchType = previous_version_dangerous_delta matchedPackage = rivet-design@0.13.1 matchedIdentity = npm:cml2ZXQtZGVzaWdu:0.13.1 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/services/WorktreeManager.jsView on unpkg

Findings

4 High4 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighCopied Package Dependency Bridgedist/cli/commands/open.js
HighShips High Entropy Blobsrc/ui/dist/favicon.ico
HighPrevious Version Dangerous Deltadist/services/WorktreeManager.js
MediumDynamic Requirebin/rivet.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License