Tidewave for JavaScript (Next.js, TanStack, Vite)
Drift inferred · capture-to-capture
- HIGH code analysis flagged dynamic code execution in tidewave
transport stdio counts 4 tools · 0 res
· 0 prompts
permission surface via code analysis
tools
-
get_docs
get the documentation for a given module/namespace or a
-
get_logs
reads console log written by the server
-
get_source_location
get the source location for a given module/namespace
-
project_eval
evaluates code within the runtime itself, giving the agent
prompt-surface
shipped agent-instruction files + hidden-content / dangerous-code findings —
quoted from the analyzed source
analyzed v0.7.0 · analyzer v17 · 1d ago
danger signals1
- dynamic code executionnew Function()package/dist/cli/index.js:10217
var makeValidate = new Function("self", "RULES", "formats", "root", "refVal", "defaults", "customRules", "equal", "ucs2length", "ValidationError", sourceCode);
evidence-backed
findings quoted directly from the published source artifact — not inferred
filesystem 3
- fs package/dist/cli/index.js :5989
import fs from "fs/promises"; - fs package/dist/next-js/instrumentation.js :50
import { appendFile, readFile } from "fs/promises"; - fs package/dist/tanstack.js :50
import { appendFile, readFile } from "fs/promises";
shell / exec 1
- shell package/dist/cli/index.js :629
var childProcess = __require("node:child_process");
declared dependencies 26
- @modelcontextprotocol/sdk@^1.17.4
- body-parser@^2.2.0
- connect@^3.7.0
- typescript@^5
- zod@3.25.76
- @eslint/js@^9.16.0
- @opentelemetry/api@^1.9.0
- @opentelemetry/sdk-logs@^0.206.0
- @opentelemetry/sdk-trace-base@^2.1.0
- @types/body-parser@^1.19.6
- @types/bun@latest
- @types/connect@^3.4.38
- @types/node@^22.10.1
- @typescript-eslint/eslint-plugin@^8.18.0
- @typescript-eslint/parser@^8.18.0
- @vercel/otel@^2.0.1
- @vitest/ui@^3.2.4
- bun-types@latest
- chalk@^5.3.0
- commander@^12.1.0
- eslint@^9.16.0
- globals@^15.14.0
- next@^15.5.3
- prettier@^3.4.2
- vite@^7.1.5
- vitest@^4.1.8