registry  /  create-apollo-monorepo  /  0.9.166

create-apollo-monorepo@0.9.166

Scaffold a monorepo with a frontend app and Apollo CMS as a git submodule backend (single-origin via Next.js rewrites + assetPrefix)

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a scaffolding CLI that creates a monorepo, initializes git, optionally adds a backend submodule, and optionally runs pnpm install when invoked by the user.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs npx create-apollo-monorepo <directory> [flags]
Impact
Creates project files and may fetch dependencies/submodule as documented; no exfiltration or covert behavior found.
Mechanism
project scaffolder with child_process for git/pnpm and generated local proxy scripts
Rationale
Static source inspection shows a legitimate create-* scaffolder with explicit user-triggered git/pnpm commands and generated local configuration, not covert install-time execution or data theft. The scanner signals are explained by documented scaffolding, proxy, and env-template generation behavior.
Evidence
package.jsonindex.mjsREADME.md<target>/package.json<target>/.npmrc<target>/pnpm-workspace.yaml<target>/.env.local<target>/.gitignore<target>/README.md<target>/CLAUDE.md<target>/nginx.conf.sample<target>/ecosystem.config.cjs<target>/apps/proxy/server.mjs<target>/apps/frontend/*<target>/apps/cms-plugins/example-plugin/*<target>/scripts/with-env.mjs<target>/scripts/check-env.mjs<target>/scripts/new-cms-plugin.mjs<target>/apps/backend/.env.local
Network endpoints3
github.com/5Lab-Group-Co-Ltd/apollo-cms.git127.0.0.1localhost

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • index.mjs user-invoked bin shells out to git and pnpm during scaffolding.
  • index.mjs writes .env.local containing prompted DATABASE_URL and generated APOLLO_SECRET/CRON_SECRET into the target project.
  • index.mjs allows user-provided --backend-url for git submodule add.
Evidence against
  • package.json has no lifecycle scripts; only bin create-apollo-monorepo -> index.mjs.
  • No install-time or import-time execution beyond explicit CLI invocation.
  • Network activity is package-aligned: git submodule add to Apollo CMS repo and generated localhost reverse-proxy templates.
  • No credential harvesting or exfiltration; env reads are for generated project config and local proxy/launcher scripts.
  • Filesystem writes are confined to the requested target directory scaffold.
  • No eval/vm/native binary loading or persistence outside generated project files.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 87.0 KB of source, external domains: 127.0.0.1, backend.internal, bun.sh, cms.example.com, git-scm.com, github.com, nodejs.org, openapi.vercel.sh, yourdomain.com

Source & flagged code

3 flagged · loading source
index.mjsView file
16L17: import { execSync } from "node:child_process"; L18: import { randomBytes } from "node:crypto";
High
Child Process

Package source references child process execution.

index.mjsView on unpkg · L16
1408// land on the unified origin. L1409: process.env.NEXT_PUBLIC_SITE_URL ||= \`http://localhost:\${process.env.FRONTEND_PORT}\`; L1410: process.env.BACKEND_INTERNAL_URL ||= \`http://127.0.0.1:\${process.env.BACKEND_PORT}\`; ... L1423: const [cmd, ...rest] = args; L1424: const child = spawn(cmd, rest, { L1425: stdio: "inherit",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

index.mjsView on unpkg · L1408
10// │ └── backend/ ← git submodule → apollo-cms L11: // ├── package.json L12: // ├── pnpm-workspace.yaml ... L16: L17: import { execSync } from "node:child_process"; L18: import { randomBytes } from "node:crypto"; ... L24: L25: const BACKEND_REPO_URL = "https://github.com/5Lab-Group-Co-Ltd/apollo-cms.git"; L26: const BACKEND_BRANCH = "main"; ... L123: function commandExists(cmd) { L124: return runSilent(process.platform === "win32" ? `where ${cmd}` : `which ${cmd}`) !== null; L125: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

index.mjsView on unpkg · L10

Findings

4 High3 Medium3 Low
HighChild Processindex.mjs
HighShell
HighSame File Env Network Executionindex.mjs
HighSandbox Evasion Gated Capabilityindex.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings