registry  /  yamlover  /  0.3.24

yamlover@0.3.24

Browse a yamlover tree in the web: npx yamlover <root> serves a React SPA over a directory.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 6.06 MB of source, external domains: example.com, foo.bar, github.com, goo.gl, i.ytimg.com, leafletjs.com, ns.adobe.com, player.vimeo.com, purl.oclc.org, raw.github.com, reactjs.org, schemas.microsoft.com, schemas.openxmlformats.org, schemas.zwobble.org, sheetjs.com, sheetjs.openxmlformats.org, stuartk.com, stuk.github.io, www.openstreetmap.org, www.plantuml.com, www.w3.org, www.xfa.org, www.youtube-nocookie.com
Oversized source lightweight scan
dist/server.js2.42 MB file, sampled 256 KB
FilesystemChildProcessHighEntropyStrings

Source & flagged code

6 flagged · loading source
dist/client/assets/docx-D39uvoU4.jsView file
25See http://goo.gl/MqrFmX L26: `)}};function i(d,p,c){this._lateQueue.push(d,p,c),this._queueTick()}function e(d,p,c){this._normalQueue.push(d,p,c),this._queueTick()}function r(d){this._normalQueue._pushOne(d),t... L27: return function(obj) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/client/assets/docx-D39uvoU4.jsView on unpkg · L25
bin/yamlover.jsView file
matchType = previous_version_dangerous_delta matchedPackage = yamlover@0.3.23 matchedIdentity = npm:eWFtbG92ZXI:0.3.23 similarity = 0.941 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/yamlover.jsView on unpkg
150} L151: ({ createHandlers } = await import(pathToFileURL(join(pkgRoot, "dist/server.js")).href)); L152: serveClient = (req, res, url) => serveStatic(res, url, distClient, distIndex);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/yamlover.jsView on unpkg · L150
dist/wasm/webp_dec.wasmView file
path = dist/wasm/webp_dec.wasm kind = wasm_module sizeBytes = 137960 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/wasm/webp_dec.wasmView on unpkg
dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
dist/server.jsView file
path = dist/server.js kind = oversized_source_file sizeBytes = 2541761 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/server.jsView on unpkg

Findings

4 High6 Medium5 Low
HighObfuscated
HighShips High Entropy Blobdist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
HighOversized Source Filedist/server.js
HighPrevious Version Dangerous Deltabin/yamlover.js
MediumDynamic Requirebin/yamlover.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Wasm Moduledist/wasm/webp_dec.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/client/assets/docx-D39uvoU4.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings