registry  /  create-dp-vue3  /  0.1.1

create-dp-vue3@0.1.1

Create a Vue 3 + TypeScript + Tailwind CSS project

AI Security Review

scanned 20h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Vue project scaffolder that copies a template into a user-selected project directory and may initialize git when the user confirms.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs create-dp-vue3 CLI.
Impact
Creates a Vue starter project; no credential harvesting, exfiltration, lifecycle mutation, or persistence found.
Mechanism
Template file copy and project-name substitution.
Rationale
Static inspection shows a normal user-invoked Vue scaffolder; scanner findings map to sample template networking and public env variables, not secrets or exfiltration. Cursor rules are copied into the generated project as documented coding guidance and are not installed through lifecycle hooks or into a foreign global agent surface.
Evidence
package.jsonindex.jssrc/index.jssrc/render.jssrc/prompts.jstemplate/.env.productiontemplate/src/lib/http/client.tstemplate/src/features/user/services/user.service.tstemplate/.cursor/rules/dp-vue3-core.mdctargetDir/**targetDir/package.jsontargetDir/README.mdtargetDir/src/routertargetDir/src/views/usertargetDir/src/views/errortargetDir/src/components/layouttargetDir/src/features/usertargetDir/src/main.tstargetDir/src/App.vuetargetDir/src/views/home/HomeView.vue
Network endpoints1
jsonplaceholder.typicode.com

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no npm lifecycle hooks; only a user-invoked bin points to index.js.
    • index.js only imports src/index.js, which prompts then scaffolds a target project directory.
    • src/render.js copies bundled template files, rewrites package name/README, optionally removes router files, and optionally runs git init after a prompt.
    • Network reference is template VITE_API_BASE_URL=https://jsonplaceholder.typicode.com, used by sample axios client endpoints.
    • template/.env.production contains only public Vite variables, not credentials.
    • template/.cursor/rules files are project coding rules copied by explicit scaffold command, with no tool registration, persistence, or command execution.
    Behavioral surface
    Source
    ChildProcessFilesystemNetworkShell
    Supply chainNo supply-chain packaging signals triggered.
    Manifest
    NoLicense
    scanned 32 file(s), 19.2 KB of source

    Source & flagged code

    1 flagged · loading source
    template/.env.productionView file
    patternName = blocked_file severity = critical matchedText = template/.env.production redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    template/.env.productionView on unpkg

    Findings

    1 Critical1 Medium3 Low
    CriticalCritical Secrettemplate/.env.production
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowNo License