muaddib-scanner 2.11.141 → 2.11.142

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "muaddib-scanner",
3
- "version": "2.11.141",
3
+ "version": "2.11.142",
4
4
  "description": "Supply-chain threat detection & response for npm & PyPI/Python",
5
5
  "main": "src/index.js",
6
6
  "bin": {
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "target": "node_modules",
3
- "timestamp": "2026-07-01T21:11:52.228Z",
3
+ "timestamp": "2026-07-01T21:20:16.682Z",
4
4
  "threats": [
5
5
  {
6
6
  "type": "string_mutation_obfuscation",
@@ -53,10 +53,9 @@ const {
53
53
  // pattern (e.g. nested groups like `((a+)x)+`) can slip past it.
54
54
  // Layer 2 (hard bound): the monitor runs every scan in a Worker with a 45s
55
55
  // STATIC_SCAN_TIMEOUT_MS -> worker.terminate() (src/monitor/queue.js). V8 TerminateExecution
56
- // interrupts even a running regex (verified on Node 24 / V8 13.6: terminate returns ~6ms
57
- // mid-backtrack) TO CONFIRM on the VPS Node version: interruptible regexps have been in
58
- // V8 since ~Node 16, but this was only tested on Node 24. On that basis a layer-1 bypass
59
- // is bounded to <=45s and the worker is killed.
56
+ // interrupts even a running regex verified empirically that terminate() returns
57
+ // mid-backtrack on BOTH the dev box (Node 24 / V8 13.6: ~6ms) and the production VPS
58
+ // (Node 20.20.0: ~8ms). So a layer-1 bypass is bounded to <=45s and the worker is killed.
60
59
  // The CLI runs the pipeline inline (src/index.js) and has no such backstop — one-shot,
61
60
  // Ctrl-C-able, lower severity.
62
61
  //