registry  /  @lukoweb/apitogo  /  0.1.59

@lukoweb/apitogo@0.1.59

Framework for building high quality, interactive API documentation.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
NoLicense
scanned 458 file(s), 1.64 MB of source, external domains: api.example.com, api.github.com, api.zuploedge.com, apitogo.com, app.posthog.com, cdn.jsdelivr.net, cdn.simpleicons.org, cdn.zudoku.dev, chatgpt.com, claude.ai, code.visualstudio.com, deploy-server-dotnet2-b3fkcaaraydbckfe.canadacentral-01.azurewebsites.net, docs.apitogo.com, docs.cursor.com, docs.mcp.run, dp-example.azurecontainerapps.io, example.com, fonts.googleapis.com, github.com, help.openai.com, httpproblems.com, llmstxt.org, lucide.dev, modelcontextprotocol.io, securetoken.google.com, swagger.io, test.local, ui.shadcn.com, www.example.com, www.w3.org, zudoku.dev, zuplo.com

Source & flagged code

9 flagged · loading source
dist/cli/cli.jsView file
8595// src/vite/mdx/remark-last-modified.ts L8596: import { spawnSync } from "node:child_process"; L8597: import { stat as stat3 } from "node:fs/promises";
High
Child Process

Package source references child process execution.

dist/cli/cli.jsView on unpkg · L8595
10106native: "%windir%\\System32", L10107: mixed: "%windir%\\sysnative\\cmd.exe /c %windir%\\System32" L10108: };
High
Shell

Package source references shell execution.

dist/cli/cli.jsView on unpkg · L10106
8609if (!checkGitAvailable()) return false; L8610: const result = spawnSync("git", ["rev-parse", "--is-shallow-repository"], { L8611: encoding: "utf-8", ... L8618: hasWarnedShallowClone = true; L8619: if (process.env.VERCEL) { L8620: console.warn( ... L8624: console.warn( L8625: "The repository is shallow cloned, so the latest modified time may not be accurate. See https://github.com/actions/checkout#fetch-all-history-for-all-tags-and-branches to fetch all... L8626: );
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/cli.jsView on unpkg · L8609
17"src/cli/common/package-json.ts"() { L18: getPackageJsonPath = (pkg) => fileURLToPath(import.meta.resolve(`${pkg}/package.json`)).replaceAll( L19: path.sep, ... L21: ); L22: getPackageJson = (pkgPath) => JSON.parse(readFileSync(pkgPath, "utf-8")); L23: getZudokuPackageJson = () => getPackageJson(getPackageJsonPath("@lukoweb/apitogo")); ... L33: logger = createLogger( L34: process.env.LOG_LEVEL ?? "info", L35: { ... L584: import path2 from "node:path"; L585: function loadApitogoConfig(rootDir = process.cwd()) { L586: const configPath = path2.join(path2.resolve(rootDir), APITOGO_CONFIG_FILENAME);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/cli.jsView on unpkg · L17
matchType = previous_version_dangerous_delta matchedPackage = @lukoweb/apitogo@0.1.48 matchedIdentity = npm:QGx1a293ZWIvYXBpdG9nbw:0.1.48 similarity = 0.817 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/cli.jsView on unpkg
17"src/cli/common/package-json.ts"() { L18: getPackageJsonPath = (pkg) => fileURLToPath(import.meta.resolve(`${pkg}/package.json`)).replaceAll( L19: path.sep, ... L21: ); L22: getPackageJson = (pkgPath) => JSON.parse(readFileSync(pkgPath, "utf-8")); L23: getZudokuPackageJson = () => getPackageJson(getPackageJsonPath("@lukoweb/apitogo")); ... L33: logger = createLogger( L34: process.env.LOG_LEVEL ?? "info", L35: { ... L584: import path2 from "node:path"; L585: function loadApitogoConfig(rootDir = process.cwd()) { L586: const configPath = path2.join(path2.resolve(rootDir), APITOGO_CONFIG_FILENAME);
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/cli/cli.jsView on unpkg · L17
dist/cli/worker.jsView file
117var { template, distDir, serverConfigPath, entryServerPath, writeRedirects } = Piscina.workerData; L118: var server = await import(entryServerPath); L119: var rawConfig = await import(serverConfigPath).then(
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/worker.jsView on unpkg · L117
dist/declarations/config/validators/ZudokuConfig.d.tsView file
315patternName = generic_password severity = medium line = 315 matchedText = password...rd";
Medium
Secret Pattern

Hardcoded password in dist/declarations/config/validators/ZudokuConfig.d.ts

dist/declarations/config/validators/ZudokuConfig.d.tsView on unpkg · L315
6736patternName = generic_password severity = medium line = 6736 matchedText = password...rd";
Medium
Secret Pattern

Hardcoded password in dist/declarations/config/validators/ZudokuConfig.d.ts

dist/declarations/config/validators/ZudokuConfig.d.tsView on unpkg · L6736

Findings

5 High7 Medium6 Low
HighChild Processdist/cli/cli.js
HighShelldist/cli/cli.js
HighSame File Env Network Executiondist/cli/cli.js
HighSandbox Evasion Gated Capabilitydist/cli/cli.js
HighPrevious Version Dangerous Deltadist/cli/cli.js
MediumDynamic Requiredist/cli/worker.js
MediumUnsafe Vm Contextdist/cli/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/declarations/config/validators/ZudokuConfig.d.ts
MediumSecret Patterndist/declarations/config/validators/ZudokuConfig.d.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License