registry  /  vde-monitor  /  0.9.14

vde-monitor@0.9.14

Monitor tmux sessions with a web UI.

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis completed at 93.0% confidence. No malicious behavior was detected; 11 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 302 file(s), 10.8 MB of source, external domains: api.anthropic.com, fb.me, github.com, json-schema.org, platform.claude.com, radix-ui.com, raw.githubusercontent.com, react.dev, tanstack.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/web/assets/codeql-DsOJ9woJ.jsView file
1const e=Object.freeze(JSON.parse('{"displayName":"CodeQL","fileTypes":["ql","qll"],"name":"codeql","patterns":[{"include":"#module-member"}],"repository":{"abstract":{"match":"\\\\...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/web/assets/codeql-DsOJ9woJ.jsView on unpkg · L1
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = vde-monitor@0.9.13 matchedIdentity = npm:dmRlLW1vbml0b3I:0.9.13 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
10import webpush from "web-push"; L11: import { createConnection, createServer } from "node:net"; L12: import { execFile, spawn } from "node:child_process"; L13: import fs$1, { chmod, lstat, mkdir, open, readFile, readdir, realpath, stat, unlink } from "node:fs/promises"; ... L582: if (path.extname(configPath).toLowerCase() === ".json") try { L583: return JSON.parse(raw); L584: } catch { ... L771: const getTokenDir = () => { L772: return path.join(os.homedir(), ".vde-monitor"); L773: }; ... L974: title: "Permission required", L975: body: `${paneLabel} is waiting for permission`,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L10

Findings

1 High4 Medium6 Low
HighPrevious Version Dangerous Deltadist/index.js
MediumDynamic Requiredist/web/assets/codeql-DsOJ9woJ.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings