registry  /  vitest-snapshot-tools  /  0.1.0

vitest-snapshot-tools@0.1.0

Safely capture, review, and apply Vitest snapshot updates

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 325 file(s), 10.7 MB of source, external domains: github.com, json-schema.org, react.dev, www.w3.org

Source & flagged code

5 flagged · loading source
dist/cli.jsView file
14import { Buffer } from "node:buffer"; L15: import childProcess, { execFile } from "node:child_process"; L16: import fs$1 from "node:fs";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L14
1050})(); L1051: const powerShellPathFromWsl = async () => { L1052: return `${await wslDrivesMountPoint()}[redacted].0/powershell.exe`;
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L1050
14Cross-file remote execution chain: dist/cli.js spawns dist/dist-6RmQ5Mfu.js; helper contains network access plus dynamic code execution. L14: import { Buffer } from "node:buffer"; L15: import childProcess, { execFile } from "node:child_process"; L16: import fs$1 from "node:fs"; ... L257: wrapStd() { L258: this._wrapStream(this.options.stdout, "log"); L259: this._wrapStream(this.options.stderr, "log"); ... L405: function parseStack(stack, message) { L406: const cwd = process.cwd() + sep; L407: return stack.split("\n").splice(message.split("\n").length).map((l$1) => l$1.trim().replace("file://", "").replace(cwd, "")); ... L470: const isCompatibleTerminal = tty && tty.isatty && tty.isatty(1) && env.TERM && !isDumbTerminal; L471: const isCI = "CI" in env && ("GITHUB_ACTIONS" in env || "GITLAB_CI" in env || "CIRCLECI" in env); L472: const isColorSupported = !isDisabled && (isForced || isWindows && !isDumbTerminal || isCompatibleTerminal || isCI);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L14
dist/dist-6RmQ5Mfu.jsView file
5999try { L6000: new Function(""); L6001: return true;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/dist-6RmQ5Mfu.jsView on unpkg · L5999
dist/dist-BuW8b8he.jsView file
109async function importTargetVitest(repositoryRoot) { L110: const require = createRequire(join(repositoryRoot, "package.json")); L111: let nodePath;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/dist-BuW8b8he.jsView on unpkg · L109

Findings

3 High4 Medium5 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighCross File Remote Execution Contextdist/cli.js
MediumDynamic Requiredist/dist-BuW8b8he.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/dist-6RmQ5Mfu.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings