registry  /  void  /  0.10.5

void@0.10.5

⚠ Under review

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 131 file(s), 1.38 MB of source, external domains: 127.0.0.1, api.staging.void.cloud, api.void.cloud, github.com, pnpm.io, proxy.staging.void.cloud, proxy.void.cloud, void.cloud, void.dev, void.live, void.local, voidzero.dev, worker.local, www.example.com

Source & flagged code

8 flagged · loading source
dist/git-metadata-Ce0AtSZL.mjsView file
1import { execFileSync } from "node:child_process"; L2: //#region src/cli/git-metadata.ts
High
Child Process

Package source references child process execution.

dist/git-metadata-Ce0AtSZL.mjsView on unpkg · L1
dist/client-BlbnA92X.mjsView file
228if (process.platform === "win32") { L229: execFile("cmd.exe", [ L230: "/c",
High
Shell

Package source references shell execution.

dist/client-BlbnA92X.mjsView on unpkg · L228
240} L241: if (process.env.WSL_DISTRO_NAME || process.env.WSL_INTEROP) { L242: execFile("wslview", [url], (error) => { L243: if (error) execFile("cmd.exe", [ ... L255: * Start a local HTTP callback server, open the browser to a caller-built L256: * authorize URL, and wait for the redirect back to `http://localhost:PORT/callback`. L257: *
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/client-BlbnA92X.mjsView on unpkg · L240
dist/route-types-BpSJEW20.mjsView file
73const importPath = relative(outDir, `${queuesDir}/${q.filePath}`); L74: lines.push(` ${JSON.stringify(q.name)}: Queue<(typeof import(${JSON.stringify(importPath)}))["default"]["__payload"]>;`); L75: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/route-types-BpSJEW20.mjsView on unpkg · L73
dist/deploy-CISNL5uK.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = void@0.10.4 matchedIdentity = npm:dm9pZA:0.10.4 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/deploy-CISNL5uK.mjsView on unpkg
10import { c as getDatabaseDialect, f as readConfig, l as isNodeTarget, p as resolveBindingNames } from "./config-8dLIngKW.mjs"; L11: import { a as scanQueuesSync, i as scanWebSocketRoutesSync, o as scanJobsSync, r as scanRoutes } from "./scan---8wfN58.mjs"; L12: import { i as inferProjectBindings, l as validateSsrEntry, n as FRAMEWORK_SCAN_DIRS, r as detectFramework } from "./plugin-inference-D04iL1mW.mjs"; ... L35: import { homedir } from "node:os"; L36: import { execFile, execSync, spawnSync } from "node:child_process"; L37: import { parse } from "jsonc-parser"; ... L92: function getDefaultSandboxPlatformImage() { L93: return `docker.io/cloudflare/sandbox:${JSON.parse(readFileSync(join(getSandboxPackageRoot(), "package.json"), "utf-8")).version ?? "latest"}`; L94: } ... L102: } L103: function resolveSandboxConfig(config, root = process.cwd()) { L104: const raw = typeof config.sandbox === "object" ? config.sandbox : {};
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/deploy-CISNL5uK.mjsView on unpkg · L10
10Cross-file remote execution chain: dist/deploy-CISNL5uK.mjs spawns dist/runtime/handler.mjs; helper contains network access plus dynamic code execution. L10: import { c as getDatabaseDialect, f as readConfig, l as isNodeTarget, p as resolveBindingNames } from "./config-8dLIngKW.mjs"; L11: import { a as scanQueuesSync, i as scanWebSocketRoutesSync, o as scanJobsSync, r as scanRoutes } from "./scan---8wfN58.mjs"; L12: import { i as inferProjectBindings, l as validateSsrEntry, n as FRAMEWORK_SCAN_DIRS, r as detectFramework } from "./plugin-inference-D04iL1mW.mjs"; ... L35: import { homedir } from "node:os"; L36: import { execFile, execSync, spawnSync } from "node:child_process"; L37: import { parse } from "jsonc-parser"; ... L92: function getDefaultSandboxPlatformImage() { L93: return `docker.io/cloudflare/sandbox:${JSON.parse(readFileSync(join(getSandboxPackageRoot(), "package.json"), "utf-8")).version ?? "latest"}`; L94: } ... L102: } L103: function resolveSandboxConfig(config, root = process.cwd()) { L104: const raw = typeof config.sandbox === "object" ? config.sandbox : {};
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/deploy-CISNL5uK.mjsView on unpkg · L10
10import { c as getDatabaseDialect, f as readConfig, l as isNodeTarget, p as resolveBindingNames } from "./config-8dLIngKW.mjs"; L11: import { a as scanQueuesSync, i as scanWebSocketRoutesSync, o as scanJobsSync, r as scanRoutes } from "./scan---8wfN58.mjs"; L12: import { i as inferProjectBindings, l as validateSsrEntry, n as FRAMEWORK_SCAN_DIRS, r as detectFramework } from "./plugin-inference-D04iL1mW.mjs"; ... L35: import { homedir } from "node:os"; L36: import { execFile, execSync, spawnSync } from "node:child_process"; L37: import { parse } from "jsonc-parser"; ... L92: function getDefaultSandboxPlatformImage() { L93: return `docker.io/cloudflare/sandbox:${JSON.parse(readFileSync(join(getSandboxPackageRoot(), "package.json"), "utf-8")).version ?? "latest"}`; L94: } ... L102: } L103: function resolveSandboxConfig(config, root = process.cwd()) { L104: const raw = typeof config.sandbox === "object" ? config.sandbox : {};
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/deploy-CISNL5uK.mjsView on unpkg · L10

Findings

1 Critical5 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/deploy-CISNL5uK.mjs
HighChild Processdist/git-metadata-Ce0AtSZL.mjs
HighShelldist/client-BlbnA92X.mjs
HighSame File Env Network Executiondist/client-BlbnA92X.mjs
HighCredential Exfiltrationdist/deploy-CISNL5uK.mjs
HighCross File Remote Execution Contextdist/deploy-CISNL5uK.mjs
MediumDynamic Requiredist/route-types-BpSJEW20.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/deploy-CISNL5uK.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License