registry  /  turbolint-cli  /  0.1.9

turbolint-cli@0.1.9

TurboLint is a fast Rust CLI for JavaScript and TypeScript linting.

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 8 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.38 KB of source, external domains: turbolint.ideatr.dev

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/install-native.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts/install-native.mjsView file
3import { fileURLToPath } from "node:url"; L4: import { spawnSync } from "node:child_process"; L5: ... L8: const targetDir = join(root, "bin", "native"); L9: const binaryName = process.platform === "win32" ? "turbolint.exe" : "turbolint"; L10: const releaseBinary = join(root, "target", "release", binaryName); ... L28: ); L29: console.warn("TurboLint config review: https://turbolint.ideatr.dev/config-review/"); L30: process.exit(0); ... L34: L35: if (!process.env.CI) { L36: console.log("TurboLint installed. Config review: https://turbolint.ideatr.dev/config-review/");
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/install-native.mjsView on unpkg · L3
matchType = previous_version_dangerous_delta matchedPackage = turbolint-cli@0.1.7 matchedIdentity = npm:dHVyYm9saW50LWNsaQ:0.1.7 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/install-native.mjsView on unpkg

Findings

3 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilityscripts/install-native.mjs
HighPrevious Version Dangerous Deltascripts/install-native.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings