registry  /  sweet-search  /  2.7.0

sweet-search@2.7.0

⚠ Under review

Local code search for AI agents: six fast, purpose-built tools that return ranked answers, not raw grep. Because maybe grep isn't all you need... 🍬

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 254 file(s), 5.56 MB of source, external domains: 127.0.0.1, api.cerebras.ai, api.groq.com, api.jina.ai, api.mistral.ai, api.voyageai.com, github.com, huggingface.co, nodejs.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall-banner.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
crates/wasm-router/pkg/query_router_wasm.jsView file
266const wasmPath = `${__dirname}/query_router_wasm_bg.wasm`; L267: const wasmBytes = require('fs').readFileSync(wasmPath); L268: const wasmModule = new WebAssembly.Module(wasmBytes);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

crates/wasm-router/pkg/query_router_wasm.jsView on unpkg · L266
core/indexing/index-codebase-v21.jsView file
35// enable. libuv reads this lazily on first thread pool use. L36: if (process.env.SWEET_SEARCH_UV_THREADPOOL_SIZE && !process.env.UV_THREADPOOL_SIZE) { L37: process.env.UV_THREADPOOL_SIZE = process.env.SWEET_SEARCH_UV_THREADPOOL_SIZE; ... L121: // Animated banner (best-effort; interactive TTY only, never in CI / quiet / stdin-fed runs). L122: if (!quiet && !help && !filesFromStdin && process.stdout.isTTY && !process.env.CI && !process.env.NO_BANNER && !process.env.SWEET_SEARCH_NO_BANNER) { L123: try { const { showBanner } = await import('../banner/render-banner.js'); await showBanner({ clear: true }); } catch { /* non-fatal */ } ... L136: } else { L137: applyPersistedLiModel(process.env.SWEET_SEARCH_PROJECT_ROOT || process.cwd()); L138: } ... L446: // form silently no-op'd under three real-world conditions: L447: // 1. `npm install ../sweet-search-private` (file install) symlinks L448: // `node_modules/sweet-search/` to the source — `process.argv[1]` is the
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

core/indexing/index-codebase-v21.jsView on unpkg · L35
core/search/search-fusion.jsView file
41if (result.name) return String(result.name); L42: if (process.env.DEBUG_CATCHES) { L43: _fallbackKeyCount++; L44: if (_fallbackKeyCount <= 5 || _fallbackKeyCount % 100 === 0) { L45: process.stderr.write(`[search-fusion] fallback hash dedup path used (${_fallbackKeyCount})\n`); L46: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

core/search/search-fusion.jsView on unpkg · L41
core/infrastructure/model-fetcher.jsView file
89const raw = readFileSync(sidecarPath, 'utf-8'); L90: const parsed = JSON.parse(raw); L91: if (!parsed || typeof parsed !== 'object') return null; ... L297: // never to a custom hfEndpoint, which may be an untrusted mirror. L298: const hfToken = process.env.HF_TOKEN || process.env.HUGGING_FACE_HUB_TOKEN; L299: if (hfToken && url.startsWith('https://huggingface.co/')) { L300: headers['Authorization'] = `Bearer ${hfToken}`; ... L318: L319: process.stderr.write(`[ModelFetcher] ${isResume ? 'Resuming' : 'Downloading'} ${filePath} from ${hfId}...`); L320:
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

core/infrastructure/model-fetcher.jsView on unpkg · L89
crates/wasm-router/pkg/query_router_wasm_bg.wasmView file
path = crates/wasm-router/pkg/query_router_wasm_bg.wasm kind = wasm_module sizeBytes = 201196 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

crates/wasm-router/pkg/query_router_wasm_bg.wasmView on unpkg
core/search/session-daemon-prewarm.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = sweet-search@2.6.14 matchedIdentity = npm:c3dlZXQtc2VhcmNo:2.6.14 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

core/search/session-daemon-prewarm.mjsView on unpkg

Findings

1 Critical2 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltacore/search/session-daemon-prewarm.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighCredential Exfiltrationcore/infrastructure/model-fetcher.js
MediumDynamic Requirecrates/wasm-router/pkg/query_router_wasm.js
MediumUnsafe Vm Contextcore/indexing/index-codebase-v21.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulecrates/wasm-router/pkg/query_router_wasm_bg.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptocore/search/search-fusion.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings