registry  /  @lukoweb/create-apitogo  /  0.1.58

@lukoweb/create-apitogo@0.1.58

Create APIToGo docs site with one command

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 13 file(s), 596 KB of source, external domains: api.example.com, cdn.zuplo.com, github.com, json-schema.org, raw.githubusercontent.com, registry.npmjs.org, zuplo.com

Source & flagged code

6 flagged · loading source
dist/templates/empty/ts/.env.productionView file
patternName = blocked_file severity = critical matchedText = dist/templates/empty/ts/.env.production redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/templates/empty/ts/.env.productionView on unpkg
dist/index.jsView file
8depsCount: ${u}, L9: deps: ${p}}`};const v={keyword:"dependencies",type:"object",schemaType:"object",error:u.error,code(t){const[u,p]=splitDependencies(t);validatePropertyDeps(t,u);validateSchemaDeps(t... L10: /*!
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L8
2L3: (()=>{var t={5254:(t,u,p)=>{"use strict";Object.defineProperty(u,"__esModule",{value:true});u.createFileSystemAdapter=u.FILE_SYSTEM_ADAPTER=void 0;const m=p(7515);u.FILE_SYSTEM_ADA... L4: || (${b} == "string" && ${g} && ${g} == +${g})`).assign(w,(0,v._)`+${g}`);return;case"integer":m.elseIf((0,v._)`${b} === "boolean" || ${g} === null ... L8: depsCount: ${u}, L9: deps: ${p}}`};const v={keyword:"dependencies",type:"object",schemaType:"object",error:u.error,code(t){const[u,p]=splitDependencies(t);validatePropertyDeps(t,u);validateSchemaDeps(t... L10: /*!
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L2
2L3: (()=>{var t={5254:(t,u,p)=>{"use strict";Object.defineProperty(u,"__esModule",{value:true});u.createFileSystemAdapter=u.FILE_SYSTEM_ADAPTER=void 0;const m=p(7515);u.FILE_SYSTEM_ADA... L4: || (${b} == "string" && ${g} && ${g} == +${g})`).assign(w,(0,v._)`+${g}`);return;case"integer":m.elseIf((0,v._)`${b} === "boolean" || ${g} === null
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L2
dist/templates/index.tsView file
18const WORKSPACE_ROOT = path.resolve(PACKAGE_ROOT, "../.."); L19: const WINDOWS_SHELL = process.env.ComSpec ?? "cmd.exe"; L20:
High
Shell

Package source references shell execution.

dist/templates/index.tsView on unpkg · L18
matchType = previous_version_dangerous_delta matchedPackage = @lukoweb/create-apitogo@0.1.48 matchedIdentity = npm:QGx1a293ZWIvY3JlYXRlLWFwaXRvZ28:0.1.48 similarity = 0.714 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/templates/index.tsView on unpkg

Findings

1 Critical4 High4 Medium6 Low
CriticalCritical Secretdist/templates/empty/ts/.env.production
HighChild Processdist/index.js
HighShelldist/templates/index.ts
HighSame File Env Network Executiondist/index.js
HighPrevious Version Dangerous Deltadist/templates/index.ts
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings