registry  /  streetjs  /  1.0.27

streetjs@1.0.27

Production-grade TypeScript backend framework. Native PostgreSQL wire driver, JWT, WebSockets, clustering, runtime input validation, field-level encryption, abuse prevention, moderation & privacy controls. No Express. No pg. No Prisma. 3 dependencies.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 167 file(s), 1.58 MB of source, external domains: accounts.google.com, api.anthropic.com, api.github.com, api.openai.com, api.sendgrid.com, api.stripe.com, api.twilio.com, app.example.com, github.com, login.microsoftonline.com, oauth2.googleapis.com, registry.streetjs.dev, secretmanager.googleapis.com, www.googleapis.com

Source & flagged code

7 flagged · loading source
dist/database/sqlite/sqlite3-node.mjsView file
10430default: L10431: toss3('Invalid argument count for exec().'); L10432: }
High
Child Process

Package source references child process execution.

dist/database/sqlite/sqlite3-node.mjsView on unpkg · L10430
10408L10409: const parseExecArgs = function (db, args) { L10410: const out = Object.create(null);
High
Shell

Package source references shell execution.

dist/database/sqlite/sqlite3-node.mjsView on unpkg · L10408
dist/microservices/http2.jsView file
11function buildFakeIncomingMessage(headers, stream, body) { L12: const { Readable } = require('node:stream'); L13: const readable = Readable.from([body]);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/microservices/http2.jsView on unpkg · L11
dist/database/mysql/auth-scramble.jsView file
28const sha1 = (data) => createHash('sha1').update(data).digest(); L29: const pw = Buffer.from(password, 'utf8'); L30: const hash1 = sha1(pw); // SHA1(password)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/database/mysql/auth-scramble.jsView on unpkg · L28
dist/cloud/secret-providers.jsView file
8import { createHmac } from 'node:crypto'; L9: import { request as httpsRequest } from 'node:https'; L10: import { request as httpRequest } from 'node:http'; ... L48: res.on('end', () => { L49: resolve({ status: res.statusCode ?? 0, body: Buffer.concat(chunks).toString('utf8') }); L50: });
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/cloud/secret-providers.jsView on unpkg · L8
dist/dev/watcher.jsView file
109return new Promise((resolve) => { L110: const tsc = spawn('npx', ['tsc', '--incremental'], { L111: stdio: ['ignore', 'pipe', 'pipe'],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/dev/watcher.jsView on unpkg · L109
dist/database/sqlite/sqlite3.wasmView file
path = dist/database/sqlite/sqlite3.wasm kind = wasm_module sizeBytes = 850827 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/database/sqlite/sqlite3.wasmView on unpkg

Findings

4 High5 Medium6 Low
HighChild Processdist/database/sqlite/sqlite3-node.mjs
HighShelldist/database/sqlite/sqlite3-node.mjs
HighCloud Metadata Accessdist/cloud/secret-providers.js
HighRuntime Package Installdist/dev/watcher.js
MediumDynamic Requiredist/microservices/http2.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduledist/database/sqlite/sqlite3.wasm
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/database/mysql/auth-scramble.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings