registry  /  void  /  0.10.10

void@0.10.10

⚠ Under review

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 124 file(s), 1.41 MB of source, external domains: 127.0.0.1, api.staging.void.cloud, api.void.cloud, github.com, pnpm.io, proxy.staging.void.cloud, proxy.void.cloud, void.cloud, void.dev, void.live, void.local, voidzero.dev, worker.local, www.example.com

Source & flagged code

8 flagged · loading source
dist/gen-Bee261SV.mjsView file
10import { fileURLToPath } from "node:url"; L11: import { spawnSync } from "node:child_process"; L12: //#region src/cli/gen.ts
High
Child Process

Package source references child process execution.

dist/gen-Bee261SV.mjsView on unpkg · L10
dist/client-C9FG6Vzc.mjsView file
294if (process.platform === "win32") { L295: execFile("cmd.exe", [ L296: "/c",
High
Shell

Package source references shell execution.

dist/client-C9FG6Vzc.mjsView on unpkg · L294
306} L307: if (process.env.WSL_DISTRO_NAME || process.env.WSL_INTEROP) { L308: execFile("wslview", [url], (error) => { L309: if (error) execFile("cmd.exe", [ ... L321: * Start a local HTTP callback server, open the browser to a caller-built L322: * authorize URL, and wait for the redirect back to `http://localhost:PORT/callback`. L323: *
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/client-C9FG6Vzc.mjsView on unpkg · L306
dist/route-types-CfKfhbIg.mjsView file
304const importPath = relative(outDir, `${queuesDir}/${q.filePath}`); L305: lines.push(` ${JSON.stringify(q.name)}: Queue<(typeof import(${JSON.stringify(importPath)}))["default"]["__payload"]>;`); L306: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/route-types-CfKfhbIg.mjsView on unpkg · L304
dist/deploy-B02JyKP9.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = void@0.10.4 matchedIdentity = npm:dm9pZA:0.10.4 similarity = 0.521 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/deploy-B02JyKP9.mjsView on unpkg
4import { i as resolveProjectPaths, n as readProjectPaths } from "./project-paths-tpdR1mJR.mjs"; L5: import { a as scanQueuesSync, i as scanWebSocketRoutesSync, o as scanJobsSync, r as scanRoutes, s as findVoidAuthConfig } from "./scan-i7Yz54fv.mjs"; L6: import { t as cfAccessHeaders } from "./cf-access-Bqw81xAf.mjs"; ... L30: import { homedir } from "node:os"; L31: import { execFile, execSync, spawnSync } from "node:child_process"; L32: import { parse } from "jsonc-parser"; ... L87: function getDefaultSandboxPlatformImage() { L88: return `docker.io/cloudflare/sandbox:${JSON.parse(readFileSync(join(getSandboxPackageRoot(), "package.json"), "utf-8")).version ?? "latest"}`; L89: } ... L97: } L98: function resolveSandboxConfig(config, root = process.cwd()) { L99: const raw = typeof config.sandbox === "object" ? config.sandbox : {};
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/deploy-B02JyKP9.mjsView on unpkg · L4
4Cross-file remote execution chain: dist/deploy-B02JyKP9.mjs spawns dist/runtime/handler.mjs; helper contains network access plus dynamic code execution. L4: import { i as resolveProjectPaths, n as readProjectPaths } from "./project-paths-tpdR1mJR.mjs"; L5: import { a as scanQueuesSync, i as scanWebSocketRoutesSync, o as scanJobsSync, r as scanRoutes, s as findVoidAuthConfig } from "./scan-i7Yz54fv.mjs"; L6: import { t as cfAccessHeaders } from "./cf-access-Bqw81xAf.mjs"; ... L30: import { homedir } from "node:os"; L31: import { execFile, execSync, spawnSync } from "node:child_process"; L32: import { parse } from "jsonc-parser"; ... L87: function getDefaultSandboxPlatformImage() { L88: return `docker.io/cloudflare/sandbox:${JSON.parse(readFileSync(join(getSandboxPackageRoot(), "package.json"), "utf-8")).version ?? "latest"}`; L89: } ... L97: } L98: function resolveSandboxConfig(config, root = process.cwd()) { L99: const raw = typeof config.sandbox === "object" ? config.sandbox : {};
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/deploy-B02JyKP9.mjsView on unpkg · L4
4import { i as resolveProjectPaths, n as readProjectPaths } from "./project-paths-tpdR1mJR.mjs"; L5: import { a as scanQueuesSync, i as scanWebSocketRoutesSync, o as scanJobsSync, r as scanRoutes, s as findVoidAuthConfig } from "./scan-i7Yz54fv.mjs"; L6: import { t as cfAccessHeaders } from "./cf-access-Bqw81xAf.mjs"; ... L30: import { homedir } from "node:os"; L31: import { execFile, execSync, spawnSync } from "node:child_process"; L32: import { parse } from "jsonc-parser"; ... L87: function getDefaultSandboxPlatformImage() { L88: return `docker.io/cloudflare/sandbox:${JSON.parse(readFileSync(join(getSandboxPackageRoot(), "package.json"), "utf-8")).version ?? "latest"}`; L89: } ... L97: } L98: function resolveSandboxConfig(config, root = process.cwd()) { L99: const raw = typeof config.sandbox === "object" ? config.sandbox : {};
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/deploy-B02JyKP9.mjsView on unpkg · L4

Findings

1 Critical5 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/deploy-B02JyKP9.mjs
HighChild Processdist/gen-Bee261SV.mjs
HighShelldist/client-C9FG6Vzc.mjs
HighSame File Env Network Executiondist/client-C9FG6Vzc.mjs
HighCredential Exfiltrationdist/deploy-B02JyKP9.mjs
HighCross File Remote Execution Contextdist/deploy-B02JyKP9.mjs
MediumDynamic Requiredist/route-types-CfKfhbIg.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/deploy-B02JyKP9.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License