registry  /  scip-query  /  0.13.0

scip-query@0.13.0

⚠ Under review

Evidence and verification for AI coding agents: map code, reuse concepts, finish migrations, and gate diffs.

Static Scan Results

scanned 12d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 175 file(s), 1.49 MB of source, external domains: github.com, registry.npmjs.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/postinstall.js || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/postinstall.js || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/chunk-GNG622H3.jsView file
1import{a as d}from"./chunk-64MNV6AB.js";import{c as S}from"./chunk-7S5E7KWT.js";import{isAbsolute as x,relative as h}from"path";function g(e){return e.replace(/\\/g,"/").replace(/^... L2: `)){let s=o.trim();s&&(A(s)||t.has(l(s).toLowerCase())&&i.add(s))}return i}catch{return null}}function A(e){return e.split("/").some(t=>m.has(t))}function L(e,t){let n=new Set,i=o=...
High
Child Process

Package source references child process execution.

dist/chunk-GNG622H3.jsView on unpkg · L1
dist/cli.jsView file
73(relative_path, symbol, project_fingerprint, version, payload) VALUES (?, ?, ?, ?, ?)`),dropStaleReferences:n.prepare("DELETE FROM semantic_references WHERE project_fingerprint != ... L74: (check_name, finding_id, first_seen, last_seen, times_shown, outcome) VALUES (?, ?, ?, ?, ?, ?)`)}}catch(n){dl("disabled (open failed)",n)}return Ns.set(e,t),t}function zt(e,t,n){d... L75: `;if(t)try{let i=RP(t);mf.has(i)||(vP(i,{recursive:!0}),mf.add(i)),CP(t,r);return}catch(i){pf||(pf=!0,process.stderr.write(`[profile] failed to write ${t}: ${i instanceof Error?i.m... ... L79: `&&(i+=1),r+=1,o==='"')break}return{index:r,line:i}}function gl(e){return e==="'"||e==="`"||e==="~"||e==="@"||e==="^"||e==="#"}function hl(e){return/\s|,/.test(e)||e==="("||e===")"... L80: `)))}import{readdirSync as CI}from"fs";import{execFileSync as vI}from"child_process";import{extname as zs,join as RI}from"path";var Ml=[".ts",".tsx",".mts",".cts",".js",".jsx",".mj... L81: `)){let o=i.trim();o&&(EI(o)||t.has(zs(o).toLowerCase())&&r.add(o))}return r}catch{return null}}function EI(e){return e.split("/").some(t=>Ks.has(t))}function NI(e,t){let n=new Set... L82: `).length:0,u=mr(r.template),d=o.lineCount,m=r.styles.red
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L73
74(check_name, finding_id, first_seen, last_seen, times_shown, outcome) VALUES (?, ?, ?, ?, ?, ?)`)}}catch(n){dl("disabled (open failed)",n)}return Ns.set(e,t),t}function zt(e,t,n){d... L75: `;if(t)try{let i=RP(t);mf.has(i)||(vP(i,{recursive:!0}),mf.add(i)),CP(t,r);return}catch(i){pf||(pf=!0,process.stderr.write(`[profile] failed to write ${t}: ${i instanceof Error?i.m... L76: `));return}ke()&&process.stderr.write(r)}function ff(e){return typeof e=="function"?e():e}var EP=[$t("source-facts",{dependsOn:["content-hash","tool-version"],keyParts:["kind","rel... ... L79: `&&(i+=1),r+=1,o==='"')break}return{index:r,line:i}}function gl(e){return e==="'"||e==="`"||e==="~"||e==="@"||e==="^"||e==="#"}function hl(e){return/\s|,/.test(e)||e==="("||e===")"... L80: `)))}import{readdirSync as CI}from"fs";import{execFileSync as vI}from"child_process";import{extname as zs,join as RI}from"path";var Ml=[".ts",".tsx",".mts",".cts",".js",".jsx",".mj... L81: `)){let o=i.trim();o&&(EI(o)||t.has(zs(o).toLowerCase())&&r.add(o))}return r}catch{return null}}function EI(e){return e.split("/").some(t=>Ks.has(t))}function NI(e,t){let n=new Set... L82: `).length:0,u=mr(r.template),d=o.lineCount,m=r.styles.red
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L74
255${e.symbolNoiseFor("gs")}`),n=new Map;for(let r of t){if(!r.relative_path||e.isIgnored(r.relative_path))continue;let i=M(r.symbol);if(!i)continue;let o=n.get(i);o||(o=[],n.set(i,o)... L256: `),c=[];for(let l=0;l<a.length;l++){if(l===i)continue;let u=a[l]??"";s.lastIndex=0;let d;for(;(d=s.exec(u))!==null;)c.push({file:t,line:l,column:d.index})}return So(c.filter(l=>xo(... L257: d.id AS documentId,
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L255
9`):[]})}var oP=/^\s*(?:\/\/|#|\/\*+|\*)\s*scip-query[\s:-]*ignore(?:[\s:-]+(dead(?:-code)?|stale|wrapper|passthrough|drift|extract|similar))?\b/i;function no(e){let t=oP.exec(e);re... L10: `).length}function ul(e,t,n){let r={relativePath:t,template:null,scripts:[],styles:[],customBlocks:[],errors:[]};if(!n)return r;let i;try{i=sP(n,{filename:t})}catch(s){return r.err... L11: `).length-1):0;return{kind:n,ownerPath:t,sourcePath:c,external:!0,src:s,attrs:i,lang:o,body:l,startLine:0,endLine:u,errors:l?[]:[`Vue ${n} block source not found: ${c}`]}}let a=Mat... ... L13: `),startLine:0,language:o}:null}var Xp=dr("ast-trees",{clearGroups:["whole-project","source-file"]});function ie(e,t){if(fn(t))return dP(e,t);let n=U(t);if(!n)return null;let r=F(e... L14: `.repeat(r.startLine)+r.body;return to(r.language,i)}):null}function ti(e,t){let n=mP(e,t);if(!n)return null;let r=ei(n);return r?{calleeLeaf:r,memberAccess:pP(n),line:e.startPosit... L15: CREATE TABLE IF NOT EXISTS file_evidence ( ... L74: (check_name, finding_id, first_seen, last_seen, times_shown, outcome) VALUES (?, ?, ?, ?, ?, ?)`)}}catch(n){dl("disabled (open failed)",n)}return Ns.set(e,t),t}function zt(e,t,n){d... L75: `;if(t
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli.jsView on unpkg · L9
scripts/evidence-product-contract.mjsView file
1Cross-file remote execution chain: scripts/evidence-product-contract.mjs spawns dist/cli.js; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: import { spawnSync } from 'node:child_process'; L3: import { createHash } from 'node:crypto'; ... L16: const args = parseArgs(process.argv.slice(2)); L17: const projectRoot = process.cwd(); L18: const cliPath = resolve(projectRoot, 'dist/cli.js'); ... L30: const status = runCli(['status', '--json'], { profile: false }); L31: if (status.exitCode !== 0) { L32: process.stderr.write(status.stderr.toString()); L33: process.exit(status.exitCode ?? 1); ... L35: L36: const statusJson = JSON.parse(status.stdout.toString());
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/evidence-product-contract.mjsView on unpkg · L1
dist/runtime.jsView file
matchType = previous_version_dangerous_delta matchedPackage = scip-query@0.11.0 matchedIdentity = npm:c2NpcC1xdWVyeQ:0.11.0 similarity = 0.867 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/runtime.jsView on unpkg

Findings

1 Critical6 High5 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/runtime.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/chunk-GNG622H3.js
HighShell
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighCross File Remote Execution Contextscripts/evidence-product-contract.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings