create-awesome-node-app is a code-generation tool. By design, it downloads and
executes templates from remote sources. This inherent trust model means that a
malicious template (or a compromised template repository) can execute arbitrary
code on the user's machine or exfiltrate sensitive data.
- Templates are fetched over HTTPS and cached locally. Cache entries are
verified with
git fsckviacna cache verify. - File copy uses reflinks or hardlinks where available; no post-copy execution
happens outside the explicitly declared
packagehook (see below). - Catalog fetches (template registry) include a 10-second timeout and a
descriptive
User-Agentheader. - The
cna.config.jsonloader rejectstype: "invisible"andtype: "password"prompt types to prevent covert input harvesting by templates.
When using a template or extension from an untrusted source, pin it to a specific commit SHA:
create-awesome-node-app my-app \
--template https://github.com/owner/repo/tree/main/path?ref=abc123def456abc123def456abc123def456abc1This prevents a future commit to the same branch from executing on your
machine without your knowledge. Set CNA_STRICT_REPRO=1 to enforce that all
ref parameters are full 40-character hex SHAs.
Templates can ship a package.js (or .cjs) module that is loaded and
executed by @create-node-app/core during scaffolding. This module receives
the merged configuration (including --set values, package manager, app name)
and can modify the generated package.json, add dependencies, or run
side-effects.
This is a deliberate feature of the composable template system. Before
using a template, audit its package module:
# After cloning, inspect the template's package module
ls <cache>/<template-id>/
<editor> <cache>/<template-id>/package.jsThe CLI makes the following outbound HTTP calls:
| Call | Purpose | Timeout | User-Agent |
|---|---|---|---|
registry.npmjs.org |
Version check (dist-tags) |
10 s | create-node-app-core/<version> |
github.com/ghraw |
Template catalog templates.json |
10 s | create-awesome-node-app/<version> |
github.com |
Template clone (via git) |
(git default) | git/ (system user-agent) |
Various (via npm install) |
Dependency install | (npm default) | npm/ (system user-agent) |
If you find a security issue in the CLI itself, please open a GitHub Security Advisory rather than a public issue.
For vulnerabilities in templates or extensions published through the cna-templates registry, please open an issue in that repository.
We aim to acknowledge reports within 48 hours and ship a fix within 7 days for medium-severity issues.