registry  /  create-weld-app  /  0.12.0

create-weld-app@0.12.0

Create a new WELD app — npm create weld-app

AI Security Review

scanned 30m ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI creates a WELD/Vite project in a user-selected directory and installs its declared dependencies when invoked.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `create-weld-app` / `npm create weld-app`.
Impact
Expected project-file creation and dependency installation; no package install-time execution.
Mechanism
Explicit project scaffolding plus `npm install` in the generated project.
Rationale
The scanner's child-process finding is the CLI's explicit, user-triggered `npm install` step. Source inspection found no concrete malicious behavior.
Evidence
package.jsondist/index.js<user-project>/package.json<user-project>/src/App.tsx<user-project>/src/main.tsx<user-project>/README.md

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has only `prepublishOnly`; no install lifecycle hook.
    • `dist/index.js` is a user-invoked scaffold CLI.
    • `npm install` runs only after user CLI scaffolding.
    • No harvesting, exfiltration, dynamic loading, persistence, or AI-agent writes found.
    Behavioral surface
    Source
    ChildProcessFilesystemShell
    Supply chain
    UrlStrings
    Manifest
    NoLicense
    scanned 1 file(s), 10.5 KB of source, external domains: weld-docs.vercel.app

    Source & flagged code

    2 flagged · loading source
    dist/index.jsView file
    3// src/index.ts L4: import { execSync } from "child_process"; L5: import { mkdir, writeFile, copyFile } from "fs/promises";
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L3
    311try { L312: execSync("npm install", { cwd: dest, stdio: "inherit" }); L313: } catch { L314: console.log(` L315: ${c.dim("(run npm install manually)")}`); L316: }
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/index.jsView on unpkg · L311

    Findings

    3 High5 Low
    HighChild Processdist/index.js
    HighShell
    HighRuntime Package Installdist/index.js
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowUrl Strings
    LowNo License