registry  /  vitest-snapshot-tools  /  0.5.0

vitest-snapshot-tools@0.5.0

Safely capture, review, and apply Vitest snapshot updates

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 2.21 MB of source, external domains: github.com, json-schema.org, react.dev, www.w3.org

Source & flagged code

5 flagged · loading source
dist/dist-BIbuXxdB.jsView file
69}; L70: if (callback) (function exec() { L71: setTimeout(function() {
High
Child Process

Package source references child process execution.

dist/dist-BIbuXxdB.jsView on unpkg · L69
5999try { L6000: new Function(""); L6001: return true;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/dist-BIbuXxdB.jsView on unpkg · L5999
dist/cli.jsView file
1050})(); L1051: const powerShellPathFromWsl = async () => { L1052: return `${await wslDrivesMountPoint()}[redacted].0/powershell.exe`;
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L1050
14Cross-file remote execution chain: dist/cli.js spawns dist/dist-BIbuXxdB.js; helper contains network access plus dynamic code execution. L14: import { Buffer } from "node:buffer"; L15: import childProcess, { execFile } from "node:child_process"; L16: import fs$1 from "node:fs"; ... L257: wrapStd() { L258: this._wrapStream(this.options.stdout, "log"); L259: this._wrapStream(this.options.stderr, "log"); ... L405: function parseStack(stack, message) { L406: const cwd = process.cwd() + sep; L407: return stack.split("\n").splice(message.split("\n").length).map((l$1) => l$1.trim().replace("file://", "").replace(cwd, "")); ... L470: const isCompatibleTerminal = tty && tty.isatty && tty.isatty(1) && env.TERM && !isDumbTerminal; L471: const isCI = "CI" in env && ("GITHUB_ACTIONS" in env || "GITLAB_CI" in env || "CIRCLECI" in env); L472: const isColorSupported = !isDisabled && (isForced || isWindows && !isDumbTerminal || isCompatibleTerminal || isCI);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L14
dist/dist-CVtwDEs_.jsView file
179async function importTargetVitest(repositoryRoot) { L180: const require = createRequire(join(repositoryRoot, "package.json")); L181: let nodePath;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/dist-CVtwDEs_.jsView on unpkg · L179

Findings

3 High4 Medium5 Low
HighChild Processdist/dist-BIbuXxdB.js
HighShelldist/cli.js
HighCross File Remote Execution Contextdist/cli.js
MediumDynamic Requiredist/dist-CVtwDEs_.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/dist-BIbuXxdB.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings