app.js
rule:javascript.lang.security.detect-non-literal-require.detect-non-literal-require: Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files. Details: https://sg.run/zvNn
151:                             const route = require( `${dir}/${fname}` );

executors/javascript/executor.js
rule:javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression: Detected eval(variable), which could allow a malicious actor to run arbitrary code. Details: https://sg.run/6nwK
102:             eval( functionTemplate ); // eslint-disable-line no-eval

src/subprocess.js
rule:javascript.lang.security.detect-child-process.detect-child-process: Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability. Details: https://sg.run/l2lo
12:      const process = spawn( binary, args, options );
ran 7 rules on 13 files: 3 findings