registry  /  storyblok  /  4.19.1

storyblok@4.19.1

⚠ Under review

Storyblok CLI

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 360 KB of source, external domains: app.storyblok.com, github.com, www.storyblok.com

Source & flagged code

6 flagged · loading source
dist/index.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = storyblok@4.18.2 matchedIdentity = npm:c3RvcnlibG9r:4.18.2 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.mjsView on unpkg
16import { select, password, input, confirm } from '@inquirer/prompts'; L17: import { exec, spawn } from 'node:child_process'; L18: import { promisify } from 'node:util';
High
Child Process

Package source references child process execution.

dist/index.mjsView on unpkg · L16
2251L2252: const execAsync = promisify(exec); L2253: function buildSignupUrl() {
High
Shell

Package source references shell execution.

dist/index.mjsView on unpkg · L2251
6796} L6797: const degitProcess = spawn("npx", ["degit", templateRepo, projectPath], { L6798: stdio: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.mjsView on unpkg · L6796
1426function importModule(filePath) { L1427: return import(pathToFileURL(filePath).href); L1428: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.mjsView on unpkg · L1426
689patternName = generic_password severity = medium line = 689 matchedText = login_em...rd",
Medium
Secret Pattern

Hardcoded password in dist/index.mjs

dist/index.mjsView on unpkg · L689

Findings

1 Critical3 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/index.mjs
HighChild Processdist/index.mjs
HighShelldist/index.mjs
HighRuntime Package Installdist/index.mjs
MediumDynamic Requiredist/index.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/index.mjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings