registry  /  ui5-tooling-modules  /  3.37.8

ui5-tooling-modules@3.37.8

UI5 CLI extensions to load and convert node modules as UI5 AMD-like modules

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
Manifest
WildcardDependency
scanned 23 file(s), 288 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node ./lib/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./lib/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
lib/util.jsView file
1/* eslint-disable no-unused-vars */ L2: const path = require("path"); L3: const { readFileSync, statSync, readdirSync, existsSync, realpathSync } = require("fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/util.jsView on unpkg · L1
36L37: const TOOL_LIB_DIR = __dirname; L38: const LOCKFILE_NAMES = ["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "npm[redacted]"]; L39: const TOOL_SOURCE_EXTS = new Set([".js", ".mjs", ".cjs", ".hbs"]); ... L474: fromJSON(s) { L475: const parsed = JSON.parse(s); L476: this._entries = parsed._entries; ... L1047: // Implementation of the Node.js Package Entry Points mechanism L1048: // https://nodejs.org/api/packages.html#package-entry-points L1049: let pkgJsonFile, relativeModulePath; ... L1295: "process.versions.node": JSON.stringify("18.15.0"), // needed for some modules to select features based on the Node.js version L1296: "process.env.NODE_ENV": JSON.stringify("production"), // we always build in production mode
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

lib/util.jsView on unpkg · L36

Findings

1 High6 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirelib/util.js
MediumUnsafe Vm Contextlib/util.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings