registry  /  tina4-nodejs  /  3.13.56

tina4-nodejs@3.13.56

⚠ Under review

Tina4 for Node.js/TypeScript - 54 built-in features, zero dependencies

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 128 file(s), 3.58 MB of source, external domains: 127.0.0.1, github.com, registry.npmjs.org, schemas.xmlsoap.org, tina4.com, unpkg.com, www.w3.org

Source & flagged code

7 flagged · loading source
packages/core/public/js/tina4-dev-admin.min.jsView file
402`);for(;l>=0;){const O=r.slice(0,l).replace(/\r$/,"");if(r=r.slice(l+1),O!==""){if(O.startsWith("event:"))s=O.slice(6).trim();else if(O.startsWith("data:")){const c=O.slice(5).trim... L403: `)}}}finally{t.releaseLock()}}async function Zb(i){try{return(await i.text()).slice(0,200)}catch{return""}}async function zb(i){const e=await fetch(`${Xn}/supervise/diff?id=${encod... L404: `&&(t="");else{let n=t.indexOf(`
High
Child Process

Package source references child process execution.

packages/core/public/js/tina4-dev-admin.min.jsView on unpkg · L402
395`,r=i.state.doc.line(r.number+(t?1:-1)),s=i.bidiSpans(r),O=i.visualLineSide(r,!t)}if(l){if(!l(c))return a}else{if(!n)return O;l=n(c)}a=O}}function DS(i,e,t){let n=i.state.charCateg... L396: `&&i.lineWrapping&&(n&&(n=S.single(n.main.anchor-1,n.main.head-1)),t={from:s.from,to:s.to,insert:ne.of([" "])}),t)return wl(i,t,n,o);if(n&&!Es(n,s)){let a=!1,l="select";return i.in... L397: `))};if((V.mac||V.android)&&d.from==o-1&&/^\. ?$/.test(n.text)&&e.contentDOM.getAttribute("autocorrect")=="off"&&(d={from:a,to:l,insert:ne.of([n.text.replace("."," ")])}),this.pend... ... L402: `);for(;l>=0;){const O=r.slice(0,l).replace(/\r$/,"");if(r=r.slice(l+1),O!==""){if(O.startsWith("event:"))s=O.slice(6).trim();else if(O.startsWith("data:")){const c=O.slice(5).trim... L403: `)}}}finally{t.releaseLock()}}async function Zb(i){try{return(await i.text()).slice(0,200)}catch{return""}}async function zb(i){const e=await fetch(`${Xn}/supervise/diff?id=${encod... L404: `&&(t="");else{let n=t.indexOf(` L405: `);n>-1&&(t=t.slice(0,n))}return e+t.length<=this.to?t:t.slice(0,this.to-e)}nextLine(){let e=this.parsedPos,t=this.lineAfter(e),n=e+t.length;for(let r=this.rangeIndex;;){let s=this... L406: \${}
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

packages/core/public/js/tina4-dev-admin.min.jsView on unpkg · L395
packages/core/src/fakeData.tsView file
296try { L297: const mod = await import(fullPath); L298: if (typeof mod.default === "function") {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

packages/core/src/fakeData.tsView on unpkg · L296
packages/core/src/websocket.tsView file
1/** L2: * Tina4 WebSocket — Zero-dependency RFC 6455 implementation. L3: * ... L87: .update(key + MAGIC_STRING) L88: .digest("base64"); L89: } ... L103: export function originAllowed(headers: Record<string, string | string[] | undefined>): boolean { L104: const raw = (process.env.TINA4_WS_ALLOWED_ORIGINS ?? "").trim(); L105: if (!raw) return true; // No allow-list configured — permit everything. ... L163: if (queryString) { L164: // WHATWG URLSearchParams handles decoding; a leading "?" is tolerated. L165: const tok = new URLSearchParams(queryString.replace(/^\?/, "")).get("token");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

packages/core/src/websocket.tsView on unpkg · L1
packages/core/src/server.tsView file
matchType = previous_version_dangerous_delta matchedPackage = tina4-nodejs@3.13.50 matchedIdentity = npm:dGluYTQtbm9kZWpz:3.13.50 similarity = 0.825 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

packages/core/src/server.tsView on unpkg
1import { createServer, IncomingMessage, ServerResponse } from "node:http"; L2: import { resolve, dirname, join, relative } from "node:path"; ... L5: import { fileURLToPath } from "node:url"; L6: import { execFileSync, exec } from "node:child_process"; L7: import cluster from "node:cluster"; ... L28: const __filename = fileURLToPath(import.meta.url); L29: const __dirname = dirname(__filename); L30: ... L70: // Gate 2: TINA4_AUTO_MIGRATE not falsy (default "true"). L71: const flag = process.env.TINA4_AUTO_MIGRATE; L72: if (flag != null && !isTruthy(flag)) { ... L102:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

packages/core/src/server.tsView on unpkg · L1
packages/core/src/devAdmin.tsView file
2367const { execFileSync } = await import("node:child_process"); L2368: const output = execFileSync("npx", ["tina4nodejs", "generate", kind, name], { L2369: cwd: resolve(process.cwd()),
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

packages/core/src/devAdmin.tsView on unpkg · L2367

Findings

1 Critical5 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltapackages/core/src/server.ts
HighChild Processpackages/core/public/js/tina4-dev-admin.min.js
HighShell
HighSame File Env Network Executionpackages/core/public/js/tina4-dev-admin.min.js
HighSandbox Evasion Gated Capabilitypackages/core/src/server.ts
HighRuntime Package Installpackages/core/src/devAdmin.ts
MediumDynamic Requirepackages/core/src/fakeData.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptopackages/core/src/websocket.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings