registry  /  @create-node-app/core  /  0.6.2

@create-node-app/core@0.6.2

<div align="center">

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
WildcardDependency
scanned 2 file(s), 82.2 KB of source, external domains: blogs.msdn.microsoft.com, bun.sh, github.com, pnpm.js.org, registry.npmjs.org, registry.yarnpkg.com, yarnpkg.com

Source & flagged code

2 flagged · loading source
dist/index.cjsView file
43module.exports = __toCommonJS(index_exports); L44: var import_picocolors4 = __toESM(require("picocolors"), 1); L45: var import_envinfo = __toESM(require("envinfo"), 1);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.cjsView on unpkg · L43
dist/index.jsView file
12var getDirname = () => path.dirname(getFilename()); L13: var __dirname = /* @__PURE__ */ getDirname(); L14: ... L18: import semver3 from "semver"; L19: import { execFileSync as execFileSync3 } from "child_process"; L20: ... L34: import semver from "semver"; L35: import dns from "dns"; L36: import { URL as URL2 } from "url"; ... L38: // executable.ts L39: var resolveExecutable = (bin) => process.platform === "win32" ? `${bin}.cmd` : bin; L40:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L12

Findings

1 High5 Medium3 Low
HighSandbox Evasion Gated Capabilitydist/index.js
MediumDynamic Requiredist/index.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowUrl Strings