registry  /  xypriss  /  9.12.4

xypriss@9.12.4

XyPriss is a high-performance, TypeScript-first hyper-system web framework powered by a native Go core (XHSC), featuring robust multi-tenant sandboxing, secure native file streaming, and zero Express dependencies.

Static Scan Results

scanned 13d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
CopyleftLicense
scanned 358 file(s), 2.59 MB of source, external domains: 127.0.0.1, api.nehonix.com, cdn.jsdelivr.net, cdnjs.cloudflare.com, dll.nehonix.com, fonts.googleapis.com, fonts.gstatic.com, github.com, lab.nehonix.com, xypriss.nehonix.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
name = xypriss; similarTo = cypress
Medium
Typosquat Name

Package name is suspiciously similar to a popular package name.

package.jsonView on unpkg
dist/esm/src/middleware/built-in/security/UriNormalizer.jsView file
159// ───────────────────────────────────────────────────────────────────────── L160: // Private Methods — URI Decoding L161: // ─────────────────────────────────────────────────────────────────────────
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/esm/src/middleware/built-in/security/UriNormalizer.jsView on unpkg · L159
scripts/postinstall.jsView file
10Manifest entrypoint (scripts.postinstall) carries capability families absent from dist/build output: environment+network, execution+network L10: import fs from "fs"; L11: import { execSync } from "child_process"; L12: import { installXems } from "./install-xems.js"; ... L83: // 1. Initial gate: Check environment variable L84: if (process.env.XFPM !== "true") return false; L85: L86: // 2. Windows Robust verification L87: if (process.platform === "win32") { L88: let pid = process.ppid; ... L132: log.blank(); L133: log.info("Installation Guide: https://xypriss.nehonix.com/docs/xfpm#installation"); L134: log.divider();
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

scripts/postinstall.jsView on unpkg · L10
scripts/monitor_memory.shView file
path = scripts/monitor_memory.sh kind = build_helper sizeBytes = 3955 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/monitor_memory.shView on unpkg
dist/index.d.tsView file
619patternName = generic_password severity = medium line = 619 matchedText = * pass...rd',
Medium
Secret Pattern

Hardcoded password in dist/index.d.ts

dist/index.d.tsView on unpkg · L619

Findings

2 High8 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighEntrypoint Build Divergencescripts/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumTyposquat Namepackage.json
MediumUnsafe Vm Contextdist/esm/src/middleware/built-in/security/UriNormalizer.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/monitor_memory.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/index.d.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License