2import { Command } from 'commander';
L3: import child_process, { execFileSync, ChildProcess, execFile, spawnSync, spawn } from 'node:child_process';
L4: import { randomBytes, randomUUID } from 'node:crypto';
HighChild Process
Package source references child process execution.
dist/index.jsView on unpkg · L2 14import util, { debuglog, stripVTControlCharacters, inspect, promisify, callbackify, aborted, styleText } from 'node:util';
L15: import process$2, { platform, hrtime, execPath, execArgv, stdout, stdin } from 'node:process';
L16: import tty, { ReadStream } from 'node:tty';
16066const installCommand = shellQuote.quote([pm, "install"]);
L16067: await exec(installCommand, {
L16068: cwd: projectPath
...
L16075: }
L16076: var TEMPLATES_API_URL = process.env.MASTRA_TEMPLATES_API_URL || "https://mastra.ai/api/templates.json";
L16077: async function loadTemplates() {
HighSame File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L16066 8919// If `subprocess.stdin` is destroyed before being fully written to, it is considered aborted and should throw an error.
L8920: // This can happen for example when user called `subprocess.stdin.destroy()` before `subprocess.stdin.end()`.
L8921: // However, Node.js calls `subprocess.stdin.destroy()` on exit for cleanup purposes.
L8922: // https://github.[redacted]child_process.js#L278
L8923: // This is normal and should not throw an error.
...
L8928: // The only way to detect this is to spy on `subprocess.stdin._destroy()` by wrapping it.
L8929: // If `subprocess.exitCode` or `subprocess.signalCode` is set, it means `.destroy()` is being called by Node.js itself.
L8930: const handleStdinDestroy = (stream, {originalStreams: [originalStdin], subprocess}) => {
HighCommand Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L8919 2import { Command } from 'commander';
L3: import child_process, { execFileSync, ChildProcess, execFile, spawnSync, spawn } from 'node:child_process';
L4: import { randomBytes, randomUUID } from 'node:crypto';
...
L7: import fs4__default__default, { readFile, mkdir, writeFile, chmod, unlink } from 'node:fs/promises';
L8: import { createServer } from 'node:http';
L9: import os, { homedir, release, constants } from 'node:os';
...
L14: import util, { debuglog, stripVTControlCharacters, inspect, promisify, callbackify, aborted, styleText } from 'node:util';
L15: import process$2, { platform, hrtime, execPath, execArgv, stdout, stdin } from 'node:process';
L16: import tty, { ReadStream } from 'node:tty';
...
L90: // with no body, we should not to set Content-Type
L91: serializedBody === void 0 || // if serialized body is FormData; browser will correctly set Content-Type & boundary expression
L92: serializedBody instanceof FormData ? {} : {
HighSandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/index.jsView on unpkg · L2