Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystem
HighEntropyStrings
WildcardDependency
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./lib/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./lib/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkglib/util.jsView file
1/* eslint-disable no-unused-vars */
L2: const path = require("path");
L3: const { readFileSync, statSync, readdirSync, existsSync, realpathSync } = require("fs");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
lib/util.jsView on unpkg · L136L37: const TOOL_LIB_DIR = __dirname;
L38: const LOCKFILE_NAMES = ["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "npm[redacted]"];
L39: const TOOL_SOURCE_EXTS = new Set([".js", ".mjs", ".cjs", ".hbs"]);
...
L474: fromJSON(s) {
L475: const parsed = JSON.parse(s);
L476: this._entries = parsed._entries;
...
L1047: // Implementation of the Node.js Package Entry Points mechanism
L1048: // https://nodejs.org/api/packages.html#package-entry-points
L1049: let pkgJsonFile, relativeModulePath;
...
L1295: "process.versions.node": JSON.stringify("18.15.0"), // needed for some modules to select features based on the Node.js version
L1296: "process.env.NODE_ENV": JSON.stringify("production"), // we always build in production mode
Medium
Unsafe Vm Context
Package source executes code through a VM context API.
lib/util.jsView on unpkg · L36Findings
1 High6 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirelib/util.js
MediumUnsafe Vm Contextlib/util.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings