registry  /  @create-node-app/core  /  0.6.10

@create-node-app/core@0.6.10

<div align="center">

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
WildcardDependency
scanned 2 file(s), 85.4 KB of source, external domains: blogs.msdn.microsoft.com, bun.sh, github.com, pnpm.js.org, registry.npmjs.org, registry.yarnpkg.com, yarnpkg.com

Source & flagged code

3 flagged · loading source
dist/index.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @create-node-app/core@0.6.3 matchedIdentity = npm:QGNyZWF0ZS1ub2RlLWFwcC9jb3Jl:0.6.3 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.cjsView on unpkg
52// index.ts L53: var import_picocolors4 = __toESM(require("picocolors"), 1); L54: var import_envinfo = __toESM(require("envinfo"), 1);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.cjsView on unpkg · L52
dist/index.jsView file
12var getDirname = () => path.dirname(getFilename()); L13: var __dirname = /* @__PURE__ */ getDirname(); L14: ... L18: import semver3 from "semver"; L19: import { execFileSync as execFileSync3 } from "child_process"; L20: ... L34: import semver from "semver"; L35: import dns from "dns"; L36: import { URL as URL2 } from "url"; ... L38: // executable.ts L39: var resolveExecutable = (bin) => process.platform === "win32" ? `${bin}.cmd` : bin; L40:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L12

Findings

2 High5 Medium3 Low
HighSandbox Evasion Gated Capabilitydist/index.js
HighPrevious Version Dangerous Deltadist/index.cjs
MediumDynamic Requiredist/index.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowUrl Strings