registry  /  create-apollo-monorepo  /  0.9.202

create-apollo-monorepo@0.9.202

Scaffold a monorepo with a frontend app and Apollo CMS as a git submodule backend (single-origin via Next.js rewrites + assetPrefix)

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 87.0 KB of source, external domains: 127.0.0.1, backend.internal, bun.sh, cms.example.com, git-scm.com, github.com, nodejs.org, openapi.vercel.sh, yourdomain.com

Source & flagged code

3 flagged · loading source
index.mjsView file
16L17: import { execSync } from "node:child_process"; L18: import { randomBytes } from "node:crypto";
High
Child Process

Package source references child process execution.

index.mjsView on unpkg · L16
1408// land on the unified origin. L1409: process.env.NEXT_PUBLIC_SITE_URL ||= \`http://localhost:\${process.env.FRONTEND_PORT}\`; L1410: process.env.BACKEND_INTERNAL_URL ||= \`http://127.0.0.1:\${process.env.BACKEND_PORT}\`; ... L1423: const [cmd, ...rest] = args; L1424: const child = spawn(cmd, rest, { L1425: stdio: "inherit",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

index.mjsView on unpkg · L1408
10// │ └── backend/ ← git submodule → apollo-cms L11: // ├── package.json L12: // ├── pnpm-workspace.yaml ... L16: L17: import { execSync } from "node:child_process"; L18: import { randomBytes } from "node:crypto"; ... L24: L25: const BACKEND_REPO_URL = "https://github.com/5Lab-Group-Co-Ltd/apollo-cms.git"; L26: const BACKEND_BRANCH = "main"; ... L123: function commandExists(cmd) { L124: return runSilent(process.platform === "win32" ? `where ${cmd}` : `which ${cmd}`) !== null; L125: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

index.mjsView on unpkg · L10

Findings

4 High3 Medium3 Low
HighChild Processindex.mjs
HighShell
HighSame File Env Network Executionindex.mjs
HighSandbox Evasion Gated Capabilityindex.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings