registry  /  void  /  0.10.4

void@0.10.4

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 131 file(s), 1.37 MB of source, external domains: 127.0.0.1, api.staging.void.cloud, api.void.cloud, github.com, pnpm.io, proxy.staging.void.cloud, proxy.void.cloud, void.cloud, void.dev, void.live, void.local, voidzero.dev, worker.local, www.example.com

Source & flagged code

7 flagged · loading source
dist/git-metadata-Ce0AtSZL.mjsView file
1import { execFileSync } from "node:child_process"; L2: //#region src/cli/git-metadata.ts
High
Child Process

Package source references child process execution.

dist/git-metadata-Ce0AtSZL.mjsView on unpkg · L1
dist/client-YIzxv2ZO.mjsView file
228if (process.platform === "win32") { L229: execFile("cmd.exe", [ L230: "/c",
High
Shell

Package source references shell execution.

dist/client-YIzxv2ZO.mjsView on unpkg · L228
240} L241: if (process.env.WSL_DISTRO_NAME || process.env.WSL_INTEROP) { L242: execFile("wslview", [url], (error) => { L243: if (error) execFile("cmd.exe", [ ... L255: * Start a local HTTP callback server, open the browser to a caller-built L256: * authorize URL, and wait for the redirect back to `http://localhost:PORT/callback`. L257: *
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/client-YIzxv2ZO.mjsView on unpkg · L240
dist/env-validation-LH6eoyW-.mjsView file
9* L10: * Uses Node's native `import()` (type-stripping is on by default in the L11: * supported Node version), so only relative imports and bare package
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/env-validation-LH6eoyW-.mjsView on unpkg · L9
dist/deploy-DpOdwtla.mjsView file
10import { c as getDatabaseDialect, f as readConfig, l as isNodeTarget, p as resolveBindingNames } from "./config-8dLIngKW.mjs"; L11: import { a as scanQueuesSync, i as scanWebSocketRoutesSync, o as scanJobsSync, r as scanRoutes } from "./scan-DGEp1-1Q.mjs"; L12: import { i as inferProjectBindings, l as validateSsrEntry, n as FRAMEWORK_SCAN_DIRS, r as detectFramework } from "./plugin-inference-C3fLzFvP.mjs"; ... L34: import { homedir } from "node:os"; L35: import { execFile, execSync, spawnSync } from "node:child_process"; L36: import { parse } from "jsonc-parser"; ... L83: function getDefaultSandboxPlatformImage() { L84: return `docker.io/cloudflare/sandbox:${JSON.parse(readFileSync(join(getSandboxPackageRoot(), "package.json"), "utf-8")).version ?? "latest"}`; L85: } ... L93: } L94: function resolveSandboxConfig(config, root = process.cwd()) { L95: const raw = typeof config.sandbox === "object" ? config.sandbox : {};
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/deploy-DpOdwtla.mjsView on unpkg · L10
10Cross-file remote execution chain: dist/deploy-DpOdwtla.mjs spawns dist/runtime/handler.mjs; helper contains network access plus dynamic code execution. L10: import { c as getDatabaseDialect, f as readConfig, l as isNodeTarget, p as resolveBindingNames } from "./config-8dLIngKW.mjs"; L11: import { a as scanQueuesSync, i as scanWebSocketRoutesSync, o as scanJobsSync, r as scanRoutes } from "./scan-DGEp1-1Q.mjs"; L12: import { i as inferProjectBindings, l as validateSsrEntry, n as FRAMEWORK_SCAN_DIRS, r as detectFramework } from "./plugin-inference-C3fLzFvP.mjs"; ... L34: import { homedir } from "node:os"; L35: import { execFile, execSync, spawnSync } from "node:child_process"; L36: import { parse } from "jsonc-parser"; ... L83: function getDefaultSandboxPlatformImage() { L84: return `docker.io/cloudflare/sandbox:${JSON.parse(readFileSync(join(getSandboxPackageRoot(), "package.json"), "utf-8")).version ?? "latest"}`; L85: } ... L93: } L94: function resolveSandboxConfig(config, root = process.cwd()) { L95: const raw = typeof config.sandbox === "object" ? config.sandbox : {};
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/deploy-DpOdwtla.mjsView on unpkg · L10
10import { c as getDatabaseDialect, f as readConfig, l as isNodeTarget, p as resolveBindingNames } from "./config-8dLIngKW.mjs"; L11: import { a as scanQueuesSync, i as scanWebSocketRoutesSync, o as scanJobsSync, r as scanRoutes } from "./scan-DGEp1-1Q.mjs"; L12: import { i as inferProjectBindings, l as validateSsrEntry, n as FRAMEWORK_SCAN_DIRS, r as detectFramework } from "./plugin-inference-C3fLzFvP.mjs"; ... L34: import { homedir } from "node:os"; L35: import { execFile, execSync, spawnSync } from "node:child_process"; L36: import { parse } from "jsonc-parser"; ... L83: function getDefaultSandboxPlatformImage() { L84: return `docker.io/cloudflare/sandbox:${JSON.parse(readFileSync(join(getSandboxPackageRoot(), "package.json"), "utf-8")).version ?? "latest"}`; L85: } ... L93: } L94: function resolveSandboxConfig(config, root = process.cwd()) { L95: const raw = typeof config.sandbox === "object" ? config.sandbox : {};
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/deploy-DpOdwtla.mjsView on unpkg · L10

Findings

5 High3 Medium6 Low
HighChild Processdist/git-metadata-Ce0AtSZL.mjs
HighShelldist/client-YIzxv2ZO.mjs
HighSame File Env Network Executiondist/client-YIzxv2ZO.mjs
HighCredential Exfiltrationdist/deploy-DpOdwtla.mjs
HighCross File Remote Execution Contextdist/deploy-DpOdwtla.mjs
MediumDynamic Requiredist/env-validation-LH6eoyW-.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/deploy-DpOdwtla.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License