registry  /  stacktora  /  0.16.9

stacktora@0.16.9

⚠ Under review

Keep your project's dev-environment files in sync with its stack recipe (stacktora.json).

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 8 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 373 KB of source, external domains: 0.0.0.0, 192.168.1.20, api.github.com, asdf-vm.com, containers.dev, direnv.net, docs.docker.com, editorconfig.org, github.com, gitpod.io, maven.apache.org, pre-commit.com, reactnative.dev, stacktora.com, taskfile.dev, www.npmjs.com, your-backend-host.example.com

Source & flagged code

2 flagged · loading source
bin/stacktora.jsView file
3'use strict'; L4: const fs = require('fs'), path = require('path'); L5:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/stacktora.jsView on unpkg · L3
engine.jsView file
9if (typeof global.window === 'undefined') global.window = { matchMedia: function () { return { matches: false, addEventListener: _noop }; }, scrollTo: _noop, addEventListener: _noo... L10: if (typeof global.Alpine === 'undefined') global.Alpine = { data: _noop, store: _noop, start: _noop }; L11: ... L188: { id:'Free', price:0, yr:0, tagline:'For individual developers getting started.', L189: features:['1 private project','Public template gallery','Full generator & all output files','Latest version only'] }, L190: { id:'Pro', price:9, yr:90, popular:true, tagline:'For developers who live in their terminal.', ... L214: { cat:'Configuring & outputs', q:'What does `make doctor` do?', a:'A preflight check: it verifies Docker is installed and running, Compose v2 is available, and that the host ports ... L215: { cat:'Configuring & outputs', q:'Is there a CLI?', a:'Yes — <code>npx stacktora sync</code> regenerates your project\'s files locally from the <code>stacktora.json</code> recipe e... L216: { cat:'Configuring & outputs', q:'Can CI check my stacktora.json without installing the CLI?', a:'Yes — <a href="https://github.com/stacktora/audit-action" target="_blank" rel="noo... ... L4
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

engine.jsView on unpkg · L9

Findings

1 Critical3 Medium4 Low
CriticalCredential Exfiltrationengine.js
MediumDynamic Requirebin/stacktora.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings