registry  /  @craxjs/crax  /  1.1.1

@craxjs/crax@1.1.1

Lightweight React framework built on Vite. A Next.js alternative that brings back the simplicity of Create React App.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 15.1 KB of source, external domains: example.com, github.com, raw.githubusercontent.com

Source & flagged code

3 flagged · loading source
dist/index.jsView file
148} L149: const { spawn } = await import("child_process"); L150: const tsxBin = resolve(cwd, "node_modules", ".bin", "tsx");
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L148
7import { createInterface } from "readline"; L8: var __dirname = fileURLToPath(new URL(".", import.meta.url)); L9: var REPO_RAW = "https://raw.githubusercontent.com/craxjs/crax/main"; L10: var LATEST_VERSION = 1; L11: async function prompt(question) { L12: const rl = createInterface({ input: process.stdin, output: process.stdout }); L13: return new Promise( ... L28: function detectPackageManager() { L29: const ua = process.env.npm[redacted] ?? ""; L30: if (ua.startsWith("yarn")) return "yarn"; ... L43: const { pipeline } = await import("stream/promises"); L44: const { createGunzip } = await import("zlib");
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L7
148} L149: const { spawn } = await import("child_process"); L150: const tsxBin = resolve(cwd, "node_modules", ".bin", "tsx"); ... L157: console.error(`Error running tsx: ${err.message}`); L158: console.error("Make sure tsx is installed: pnpm add -D tsx"); L159: process.exit(1);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L148

Findings

3 High3 Medium4 Low
HighChild Processdist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings