registry  /  ugly-app  /  0.1.765

ugly-app@0.1.765

⚠ Under review

A full-stack TypeScript framework for shipping production web apps with one CLI. Scaffold with `npx ugly-app init my-app` and get an opinionated Express + React + PostgreSQL stack with built-in auth, type-safe RPC over WebSocket and HTTP, real-time docume

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 1,089 file(s), 7.05 MB of source, external domains: 127.0.0.1, accounts.google.com, api.cloudflare.com, api.githubcopilot.com, api.ugly.bot, app.x, blob.ugly.bot, cdn.example.com, cdn.ugly.bot, console.neon.tech, dash.cloudflare.com, docs.mcp.cloudflare.com, example.com, example.test, github.com, mcp.atlassian.com, mcp.deepwiki.com, mcp.linear.app, mcp.notion.com, mcp.sentry.dev, mcp.stripe.com, mcp.vercel.com, myapp.com, news.app, oauth2.googleapis.com, oauth2.neon.tech, other.app, placehold.co, rtc.live.cloudflare.com, ugly.bot, vega.github.io, www.gstatic.com, www.w3.org, x.com, x.example.com, y.com

Source & flagged code

6 flagged · loading source
dist/native/node.jsView file
6const fs = await import('node:fs'); L7: const cp = await import('node:child_process'); L8: return { fsp: fs.promises, realpathSync: fs.realpathSync, spawn: cp.spawn };
High
Child Process

Package source references child process execution.

dist/native/node.jsView on unpkg · L6
dist/inspect/client.jsView file
19} L20: eval(req) { L21: return this.invoke('inspect.eval', req);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/inspect/client.jsView on unpkg · L19
dist/cli/uglyappConfig.jsView file
191try { L192: const esbuild = (await import('esbuild')); L193: if (typeof esbuild.stop === 'function') {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/uglyappConfig.jsView on unpkg · L191
dist/server/Logging.jsView file
29function getStudioSessionId() { L30: const raw = process.env['UGLY_STUDIO_SESSION_ID']; L31: return raw && raw.length > 0 ? raw : undefined; ... L327: const date = new Date().toISOString().split('T')[0]; // YYYY-MM-DD L328: return path.join(process.cwd(), 'logs', `dev-${date}.jsonl`); L329: } ... L506: }; L507: // debug: captured to JSONL only in dev, NOT printed to stdout L508: console.debug = (...args) => {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server/Logging.jsView on unpkg · L29
dist/cli/publish/providers/cloudflare.jsView file
1122* 4. Upload secrets non-interactively via `wrangler secret bulk <file>`. L1123: * 5. `npx wrangler deploy -c <tempConfig>` — wrangler builds + pushes the L1124: * container image and binds the container DO. ... L1130: const fsp = await import('node:fs/promises'); L1131: const { spawn } = await import('node:child_process'); L1132: if (!opts.apiToken || !opts.accountId || !opts.scriptName) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/publish/providers/cloudflare.jsView on unpkg · L1122
dist/server/App.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ugly-app@0.1.734 matchedIdentity = npm:dWdseS1hcHA:0.1.734 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server/App.jsView on unpkg

Findings

1 Critical3 High4 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/server/App.js
HighChild Processdist/native/node.js
HighShell
HighRuntime Package Installdist/cli/publish/providers/cloudflare.js
MediumDynamic Requiredist/cli/uglyappConfig.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/inspect/client.js
LowWeak Cryptodist/server/Logging.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License