registry  /  sqlmath  /  2026.6.30

sqlmath@2026.6.30

sqlite for data-science

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 705 KB of source, external domains: github.com, stackoverflow.com, www.w3.org

Source & flagged code

6 flagged · loading source
test.mjsView file
28/*jslint beta, node*/ L29: import moduleChildProcess from "child_process"; L30: import modulePath from "path";
High
Child Process

Package source references child process execution.

test.mjsView on unpkg · L28
43dbCloseAsync, L44: dbExecAndReturnLastBlob, L45: dbExecAndReturnLastRow,
High
Shell

Package source references shell execution.

test.mjsView on unpkg · L43
jslint.mjsView file
1842let moduleName = htmlEscape(JSON.stringify(pathname)); L1843: let moduleObj = await import(pathname); L1844: if (moduleObj.default) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

jslint.mjsView on unpkg · L1842
sqlmath.mjsView file
79Cross-file remote execution chain: sqlmath.mjs spawns sqlmath_wasm.js; helper contains network access plus dynamic code execution. L79: const SQLITE_OPEN_NOMUTEX = 0x00008000; /* Ok for sqlite3_open_v2() */ L80: const SQLITE_OPEN_PRIVATECACHE = 0x00040000; /* Ok for sqlite3_open_v2() */ L81: const SQLITE_OPEN_READONLY = 0x00000001; /* Ok for sqlite3_open_v2() */ ... L109: L110: // This function will print <argList> to stderr and then return <argList>[0]. L111: ... L128: let { L129: npm[redacted], L130: npm[redacted], ... L218: L219: // This function will run child_process.spawn as a promise. L220:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

sqlmath.mjsView on unpkg · L79
_sqlmath.napi6_linux_x64.nodeView file
path = _sqlmath.napi6_linux_x64.node kind = native_binary sizeBytes = 2160424 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

_sqlmath.napi6_linux_x64.nodeView on unpkg
sqlmath_wasm.wasmView file
path = sqlmath_wasm.wasm kind = wasm_module sizeBytes = 976267 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

sqlmath_wasm.wasmView on unpkg

Findings

3 High7 Medium4 Low
HighChild Processtest.mjs
HighShelltest.mjs
HighCross File Remote Execution Contextsqlmath.mjs
MediumDynamic Requirejslint.mjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Native Binary_sqlmath.napi6_linux_x64.node
MediumShips Wasm Modulesqlmath_wasm.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings