This mean that the AST (Abstract Syntax Tree) analysis as emitted one or many warnings ! There is many different kind of warning:
Example if your package contains a .js file with the following content:
Then the AST analysis will return fs, path and
./lib as required dependencies. The code will not be considered
suspicious !
But if we take a look at a malicious code example:
This code require the core package http but the AST analysis is not capable to get it (not yet 😁). So the code will be flagged as "suspect".
RegEx are dangerous and could lead to ReDos attack. This warning is emitted when the package safe-regex return true.
The AST Analysis has failed (return the stack trace of nsecure).