registry  /  @binaryjack/formular.dev  /  2.1.2

@binaryjack/formular.dev@2.1.2

A modern form framework-agnostic builder, featuring a user-friendly interface, customizable components, and robust validation.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The only network/file primitive is an explicit configuration loader that reads or fetches a caller-provided JSON config.

Static reason
One or more suspicious static signals were detected.
Trigger
User code explicitly calls loadJson with a path or URL
Impact
Loads user-selected JSON configuration into the library; no exfiltration, persistence, install-time execution, or destructive behavior found
Mechanism
form framework configuration loading and validation
Rationale
Static inspection shows a form builder/validation library with package-aligned presets, validators, configuration schemas, and an explicit loadJson helper. Scanner network and secret signals are explained by user-invoked config loading, schema/documentation URLs, and validation terminology rather than attack behavior.
Evidence
package.jsondist/formular-dev.mjsdist/formular-dev.cjsREADME.mduser-provided path passed to loadJson

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/formular-dev.mjs loadJson can fetch/read a user-supplied configuration path when explicitly called
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts
  • package.json entrypoints are dist/formular-dev.cjs and dist/formular-dev.mjs only
  • dist/formular-dev.mjs imports no child_process, shell execution, eval, env harvesting, cookie/localStorage access, or file writes
  • dist/formular-dev.mjs fetch/readFile is limited to explicit loadJson configuration loading and JSON parsing
  • secret hits are form preset/validator names such as password, credit-card, token placeholders, not embedded credentials
  • README/package URLs are badges, repository, registry, and documentation-aligned schema identifiers
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 477 KB of source, external domains: formular.dev, json-schema.org

Source & flagged code

3 flagged · loading source
dist/formular-dev.mjsView file
2803patternName = generic_password severity = medium line = 2803 matchedText = var Va =...{});
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/formular-dev.mjsView on unpkg · L2803
dist/types/src/core/framework/common/common.input.types.d.tsView file
15patternName = generic_password severity = medium line = 15 matchedText = password...ord"
Medium
Secret Pattern

Hardcoded password in dist/types/src/core/framework/common/common.input.types.d.ts

dist/types/src/core/framework/common/common.input.types.d.tsView on unpkg · L15
dist/formular-dev.cjsView file
17patternName = generic_password severity = medium line = 17 matchedText = ${e.mess...{e}.
Medium
Secret Pattern

Hardcoded password in dist/formular-dev.cjs

dist/formular-dev.cjsView on unpkg · L17

Findings

4 Medium3 Low
MediumSecret Patterndist/formular-dev.mjs
MediumNetwork
MediumSecret Patterndist/types/src/core/framework/common/common.input.types.d.ts
MediumSecret Patterndist/formular-dev.cjs
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings