registry  /  @lukoweb/apitogo  /  0.1.47

@lukoweb/apitogo@0.1.47

Framework for building high quality, interactive API documentation.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
NoLicense
scanned 445 file(s), 1.54 MB of source, external domains: api.github.com, api.zuploedge.com, apitogo.com, app.posthog.com, cdn.jsdelivr.net, cdn.simpleicons.org, cdn.zudoku.dev, chatgpt.com, claude.ai, code.visualstudio.com, deploy-server-dotnet2-b3fkcaaraydbckfe.canadacentral-01.azurewebsites.net, docs.apitogo.com, docs.cursor.com, docs.mcp.run, dp-example.azurecontainerapps.io, example.com, fonts.googleapis.com, github.com, help.openai.com, httpproblems.com, llmstxt.org, lucide.dev, modelcontextprotocol.io, securetoken.google.com, swagger.io, test.local, ui.shadcn.com, www.example.com, www.w3.org, zudoku.dev, zuplo.com

Source & flagged code

8 flagged · loading source
dist/cli/cli.jsView file
7368// src/vite/mdx/remark-last-modified.ts L7369: import { spawnSync } from "node:child_process"; L7370: import { stat as stat3 } from "node:fs/promises";
High
Child Process

Package source references child process execution.

dist/cli/cli.jsView on unpkg · L7368
9000native: "%windir%\\System32", L9001: mixed: "%windir%\\sysnative\\cmd.exe /c %windir%\\System32" L9002: };
High
Shell

Package source references shell execution.

dist/cli/cli.jsView on unpkg · L9000
7382if (!checkGitAvailable()) return false; L7383: const result = spawnSync("git", ["rev-parse", "--is-shallow-repository"], { L7384: encoding: "utf-8", ... L7391: hasWarnedShallowClone = true; L7392: if (process.env.VERCEL) { L7393: console.warn( ... L7397: console.warn( L7398: "The repository is shallow cloned, so the latest modified time may not be accurate. See https://github.com/actions/checkout#fetch-all-history-for-all-tags-and-branches to fetch all... L7399: );
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/cli.jsView on unpkg · L7382
17"src/cli/common/package-json.ts"() { L18: getPackageJsonPath = (pkg) => fileURLToPath(import.meta.resolve(`${pkg}/package.json`)).replaceAll( L19: path.sep, ... L21: ); L22: getPackageJson = (pkgPath) => JSON.parse(readFileSync(pkgPath, "utf-8")); L23: getZudokuPackageJson = () => getPackageJson(getPackageJsonPath("@lukoweb/apitogo")); ... L33: logger = createLogger( L34: process.env.LOG_LEVEL ?? "info", L35: { ... L492: `Language "${lang}" is not loaded for syntax highlighting. Add it to \`syntaxHighlighting.languages\` in your config. Falling back to plain text. L493: See https://docs.apitogo.com/docs/markdown/code-blocks#configuration` L494: );
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/cli.jsView on unpkg · L17
17"src/cli/common/package-json.ts"() { L18: getPackageJsonPath = (pkg) => fileURLToPath(import.meta.resolve(`${pkg}/package.json`)).replaceAll( L19: path.sep, ... L21: ); L22: getPackageJson = (pkgPath) => JSON.parse(readFileSync(pkgPath, "utf-8")); L23: getZudokuPackageJson = () => getPackageJson(getPackageJsonPath("@lukoweb/apitogo")); ... L33: logger = createLogger( L34: process.env.LOG_LEVEL ?? "info", L35: { ... L492: `Language "${lang}" is not loaded for syntax highlighting. Add it to \`syntaxHighlighting.languages\` in your config. Falling back to plain text. L493: See https://docs.apitogo.com/docs/markdown/code-blocks#configuration` L494: );
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/cli/cli.jsView on unpkg · L17
dist/cli/worker.jsView file
117var { template, distDir, serverConfigPath, entryServerPath, writeRedirects } = Piscina.workerData; L118: var server = await import(entryServerPath); L119: var rawConfig = await import(serverConfigPath).then(
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/worker.jsView on unpkg · L117
dist/declarations/config/validators/ZudokuConfig.d.tsView file
315patternName = generic_password severity = medium line = 315 matchedText = password...rd";
Medium
Secret Pattern

Hardcoded password in dist/declarations/config/validators/ZudokuConfig.d.ts

dist/declarations/config/validators/ZudokuConfig.d.tsView on unpkg · L315
6719patternName = generic_password severity = medium line = 6719 matchedText = password...rd";
Medium
Secret Pattern

Hardcoded password in dist/declarations/config/validators/ZudokuConfig.d.ts

dist/declarations/config/validators/ZudokuConfig.d.tsView on unpkg · L6719

Findings

4 High7 Medium6 Low
HighChild Processdist/cli/cli.js
HighShelldist/cli/cli.js
HighSame File Env Network Executiondist/cli/cli.js
HighSandbox Evasion Gated Capabilitydist/cli/cli.js
MediumDynamic Requiredist/cli/worker.js
MediumUnsafe Vm Contextdist/cli/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/declarations/config/validators/ZudokuConfig.d.ts
MediumSecret Patterndist/declarations/config/validators/ZudokuConfig.d.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License