registry  /  run402  /  3.8.0

run402@3.8.0

⚠ Under review

CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 and MPP micropayments.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 146 file(s), 1.57 MB of source, external domains: 127.0.0.1, api.github.com, api.run402.com, app.run402.com, docs.run402.com, eagles.kychon.com, example.com, github.com, hooks.example.com, my-receiver.example.com, myapp.run402.com, new.example.com, rpc.moderato.tempo.xyz, run402.com, token.actions.githubusercontent.com

Source & flagged code

4 flagged · loading source
sdk/dist/scoped.jsView file
90} L91: fork(opts) { L92: return this.parent.apps.fork(opts);
High
Child Process

Package source references child process execution.

sdk/dist/scoped.jsView on unpkg · L90
sdk/dist/namespaces/credentials.jsView file
28} L29: async import(projectId, opts) { L30: if (!this.client.credentials.saveProject) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

sdk/dist/namespaces/credentials.jsView on unpkg · L28
lib/dev.mjsView file
109// Astro's normal output. L110: const child = spawn("npx", ["astro", "dev", "--port", port, "--host", host], { L111: stdio: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/dev.mjsView on unpkg · L109
lib/ci.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = run402@3.7.0 matchedIdentity = npm:cnVuNDAy:3.7.0 similarity = 0.392 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/ci.mjsView on unpkg

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltalib/ci.mjs
HighChild Processsdk/dist/scoped.js
HighShell
HighRuntime Package Installlib/dev.mjs
MediumDynamic Requiresdk/dist/namespaces/credentials.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings