registry  /  @binaryjack/formular.dev  /  2.3.1

@binaryjack/formular.dev@2.3.1

A modern form framework-agnostic builder, featuring a user-friendly interface, customizable components, and robust validation.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The only network-capable path is explicit caller invocation of configuration loading with a supplied path/URL.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Consumer calls configuration manager `loadJson(path)` with a local path or URL.
Impact
May retrieve a user-selected configuration resource; no automatic exfiltration, persistence, or code execution was established.
Mechanism
Reads and parses caller-selected JSON configuration.
Rationale
Static source inspection supports a normal form/configuration library. Scanner network and secret signals map to explicit configuration loading and validation terminology, not a concrete malicious chain.
Evidence
package.jsondist/formular-dev.mjsdist/formular-dev.cjsdist/__vite-browser-external-DYxpcVy9.mjsdist/types/src/simple-api.d.tsdist/types/src/core/managers/configuration-manager/interfaces/i-configuration-manager.d.tsdist/__vite-browser-external-BcPniuRQ.jsdist/types/src/index.d.tsdist/types/src/submission-strategy.d.ts

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/formular-dev.mjs` exposes `loadJson(path)`, which can fetch a caller-supplied JSON configuration URL at runtime.
  • `dist/formular-dev.mjs` conditionally reads a caller-supplied local path in Node, but the bundled browser external shim exports an empty object.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, `prepare`, or `bin` entry.
  • Entrypoints are only the library bundles in `dist/formular-dev.cjs` and `dist/formular-dev.mjs`.
  • No credential harvesting, environment access, shell/process execution, filesystem writes, or destructive APIs were found in executable bundles.
  • Runtime network use is confined to explicit `loadJson(path)` configuration loading; schema URLs are identifiers, not observed requests.
  • Type declarations document a form-validation library and caller-provided submission handler/configuration APIs.
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 477 KB of source, external domains: formular.dev, json-schema.org

Source & flagged code

4 flagged · loading source
dist/formular-dev.mjsView file
2803patternName = generic_password severity = medium line = 2803 matchedText = var Va =...{});
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/formular-dev.mjsView on unpkg · L2803
dist/formular-dev.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @binaryjack/formular.dev@2.3.0 matchedIdentity = npm:[redacted]:2.3.0 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/formular-dev.cjsView on unpkg
17patternName = generic_password severity = medium line = 17 matchedText = ${e.mess...{e}.
Medium
Secret Pattern

Hardcoded password in dist/formular-dev.cjs

dist/formular-dev.cjsView on unpkg · L17
dist/types/src/core/framework/common/common.input.types.d.tsView file
15patternName = generic_password severity = medium line = 15 matchedText = password...ord"
Medium
Secret Pattern

Hardcoded password in dist/types/src/core/framework/common/common.input.types.d.ts

dist/types/src/core/framework/common/common.input.types.d.tsView on unpkg · L15

Findings

1 High4 Medium3 Low
HighPrevious Version Dangerous Deltadist/formular-dev.cjs
MediumSecret Patterndist/formular-dev.mjs
MediumNetwork
MediumSecret Patterndist/types/src/core/framework/common/common.input.types.d.ts
MediumSecret Patterndist/formular-dev.cjs
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings