registry  /  waforge  /  2.15.3

waforge@2.15.3

<p align="center"> <img src="docs/screenshots/dashboard.png" alt="WaForge Dashboard" width="800" /> </p>

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 120 file(s), 286 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.cohere.com, api.deepseek.com, api.groq.com, api.mistral.ai, api.openai.com, fonts.googleapis.com, fonts.gstatic.com, generativelanguage.googleapis.com, graph.facebook.com, host.docker.internal, huggingface.co, openrouter.ai

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare && prisma generate
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare && prisma generate
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/reset-admin-password.tsView file
77patternName = generic_password severity = medium line = 77 matchedText = console....age)
Medium
Secret Pattern

Package contains a possible secret pattern.

bin/reset-admin-password.tsView on unpkg · L77
server/utils/job-queue.tsView file
matchType = previous_version_dangerous_delta matchedPackage = waforge@2.9.1 matchedIdentity = npm:d2Fmb3JnZQ:2.9.1 similarity = 0.734 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

server/utils/job-queue.tsView on unpkg
test-register.jsView file
4patternName = generic_password severity = medium line = 4 matchedText = body: JS...' })
Medium
Secret Pattern

Hardcoded password in test-register.js

test-register.jsView on unpkg · L4

Findings

2 High6 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltaserver/utils/job-queue.ts
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patternbin/reset-admin-password.ts
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
MediumSecret Patterntest-register.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License