registry  /  @elaraai/create-east  /  1.0.39

@elaraai/create-east@1.0.39

Scaffold a new East project (AGPL-3.0, Node-only): npm create @elaraai/east

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
UrlStrings
Manifest
CopyleftLicense
scanned 5 file(s), 26.4 KB of source, external domains: docs.astral.sh

Source & flagged code

3 flagged · loading source
dist/index.jsView file
5import { join as join2, relative as relative2 } from "node:path"; L6: import { spawnSync } from "node:child_process"; L7:
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L5
5import { join as join2, relative as relative2 } from "node:path"; L6: import { spawnSync } from "node:child_process"; L7: ... L122: function patchNodeWorkspaceRoot(projectDir) { L123: const path = join(projectDir, "package.json"); L124: const pkg = JSON.parse(readFileSync(path, "utf8")); L125: const globs = new Set(Array.isArray(pkg.workspaces) ? pkg.workspaces : []); ... L346: const { kind, name, templateDir, version } = options; L347: const cwd = options.cwd ?? process.cwd(); L348: const log = options.log ?? ((m) => console.log(m)); ... L425: function hasCommand(cmd) { L426: const probe = process.platform === "win32" ? "where" : "which";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L5
426const probe = process.platform === "win32" ? "where" : "which"; L427: return spawnSync(probe, [cmd], { stdio: "ignore" }).status === 0; L428: } ... L432: if (npm.status !== 0) { L433: log("npm install failed \u2014 fix the issue and re-run `npm install`."); L434: return;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L426

Findings

4 High1 Medium4 Low
HighChild Processdist/index.js
HighShell
HighSandbox Evasion Gated Capabilitydist/index.js
HighRuntime Package Installdist/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings
LowCopyleft License