← Home

@shopify/create-app

npm Repository Homepage

A CLI tool to create a new Shopify app.

8
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

jaimie.wayshopify-adminshopify-depmishsmellebuitammychris.craig

Keywords

shopifyshopify-clishopify-partnersshopify-apps

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff net-exec-file:dist/chunk-DNF3EUMN.js AI (source-diff): Bundled third-party deps in esbuild output; standard pattern for @shopify/create-app. ai
source-diff large-new-source-files AI (source-diff): Major version bump with full rebundle; expected for @shopify/create-app release cadence. ai
source-diff net-exec-file:dist/chunk-YUPQUA3D.js AI (source-diff): Bundled third-party deps in esbuild output; standard pattern for @shopify/create-app. ai
source-diff net-exec-file:dist/chunk-UX6FRPFM.js AI (source-diff): Bundled third-party deps in esbuild output; standard pattern for @shopify/create-app. ai
source-diff net-exec-file:dist/chunk-STHW3YIX.js AI (source-diff): Bundled third-party deps in esbuild output; standard pattern for @shopify/create-app. ai
source-diff net-exec-file:dist/chunk-LNOZTAML.js AI (source-diff): Bundled third-party deps in esbuild output; standard pattern for @shopify/create-app. ai
source-diff net-exec-file:dist/chunk-27ZXSSGX.js AI (source-diff): Standard esbuild bundle of legitimate npm deps; readable source paths confirm no obfuscation. ai
source-diff net-exec-file:dist/chunk-QCVAV5PM.js AI (source-diff): Standard esbuild bundle of legitimate npm deps; readable source paths confirm no obfuscation. ai
source-diff net-exec-file:dist/chunk-XDAJMLCV.js AI (source-diff): Standard esbuild bundle of legitimate npm deps; readable source paths confirm no obfuscation. ai
source-diff net-exec-file:dist/chunk-GUVQJPFV.js AI (source-diff): Standard esbuild bundle of legitimate npm deps; readable code, no obfuscation, SLSA-attested CI publish. ai
source-diff net-exec-file:dist/chunk-77I3TRE2.js AI (source-diff): Standard esbuild bundle of legitimate npm deps; readable code, no obfuscation, SLSA-attested CI publish. ai
source-diff net-exec-file:dist/chunk-4IXPA7MG.js AI (source-diff): Standard esbuild bundle of legitimate npm deps; readable code, no obfuscation, SLSA-attested CI publish. ai
source-diff net-exec-file:dist/chunk-V6HCEO5N.js AI (source-diff): Standard esbuild bundle of legitimate npm deps; readable, non-obfuscated code from known packages. ai
source-diff net-exec-file:dist/chunk-IFG7N3S2.js AI (source-diff): Standard esbuild bundle of legitimate npm deps; readable, non-obfuscated code from known packages. ai
source-diff net-exec-file:dist/chunk-3QXHJGOG.js AI (source-diff): Standard esbuild bundle of legitimate npm deps; readable, non-obfuscated code from known packages. ai
phantom-deps phantom-dep:esbuild AI (phantom-deps): esbuild is a declared runtime dependency used as a bundler binary; phantom-dep heuristic is a stable false positive here. ai
source-diff net-exec-file:dist/chunk-X7WPZPGY.js AI (source-diff): Standard esbuild bundle of legitimate npm deps; readable, non-obfuscated code from known packages. ai

Versions (showing 8 of 8)

Version Deps Published
4.0.0 1 / 4
3.94.3 1 / 4
3.94.2 1 / 4
3.94.1 1 / 4
3.94.0 1 / 4
3.93.2 1 / 4
3.93.1 1 / 4
3.93.0 1 / 4

v4.0.0

6 findings
HIGH New file with network + code execution: dist/chunk-DNF3EUMN.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-LNOZTAML.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-STHW3YIX.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-UX6FRPFM.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-YUPQUA3D.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.94.2

5 findings
HIGH New file with network + code execution: dist/chunk-27ZXSSGX.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-IFG7N3S2.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-QCVAV5PM.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-XDAJMLCV.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.94.1

5 findings
HIGH New file with network + code execution: dist/chunk-4IXPA7MG.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-77I3TRE2.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-GUVQJPFV.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-IFG7N3S2.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.94.0

5 findings
HIGH New file with network + code execution: dist/chunk-3QXHJGOG.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-IFG7N3S2.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-V6HCEO5N.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/chunk-X7WPZPGY.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.93.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.93.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.93.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.