registry  /  @binaryjack/formular.dev  /  2.3.0

@binaryjack/formular.dev@2.3.0

A modern form framework-agnostic builder, featuring a user-friendly interface, customizable components, and robust validation.

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The only network primitive is a consumer-called JSON configuration loader aligned with the form framework feature set.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer explicitly calls loadJson with a path or URL.
Impact
No unconsented execution, exfiltration, persistence, or destructive behavior identified.
Mechanism
User-directed configuration loading and form validation utilities.
Rationale
Static inspection shows a form framework bundle with validation schemas, presets, DOM/input managers, and a user-invoked configuration loader; scanner network and secret hits are package-aligned or documentation/metadata. No lifecycle execution, hidden payload, credential collection, exfiltration endpoint, shell execution, or persistence was found.
Evidence
package.jsonREADME.mddist/formular-dev.mjsdist/formular-dev.cjsdist/__vite-browser-external-DYxpcVy9.mjsdist/__vite-browser-external-BcPniuRQ.js

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/formular-dev.mjs has user-invoked loadJson that can fetch/read a caller-supplied configuration path.
  • dist/formular-dev.mjs exports form presets containing password/payment field names, causing noisy secret-pattern hits.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks or bin entry.
  • Main/module entries are bundled form validation and UI/input management code with no import-time exfiltration behavior found.
  • fetch/readFile usage in dist/formular-dev.mjs:3775-3795 only loads JSON configuration when loadJson is called by the consumer.
  • No child_process, eval, credential harvesting, persistence, or package/project file writes found in inspected entrypoints.
  • dist/__vite-browser-external-DYxpcVy9.mjs is an empty Vite browser external shim, not a payload.
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 475 KB of source, external domains: formular.dev, json-schema.org

Source & flagged code

3 flagged · loading source
dist/formular-dev.mjsView file
2759patternName = generic_password severity = medium line = 2759 matchedText = var Va =...{});
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/formular-dev.mjsView on unpkg · L2759
dist/types/src/core/framework/common/common.input.types.d.tsView file
15patternName = generic_password severity = medium line = 15 matchedText = password...ord"
Medium
Secret Pattern

Hardcoded password in dist/types/src/core/framework/common/common.input.types.d.ts

dist/types/src/core/framework/common/common.input.types.d.tsView on unpkg · L15
dist/formular-dev.cjsView file
17patternName = generic_password severity = medium line = 17 matchedText = ${e.mess...{e}.
Medium
Secret Pattern

Hardcoded password in dist/formular-dev.cjs

dist/formular-dev.cjsView on unpkg · L17

Findings

4 Medium3 Low
MediumSecret Patterndist/formular-dev.mjs
MediumNetwork
MediumSecret Patterndist/types/src/core/framework/common/common.input.types.d.ts
MediumSecret Patterndist/formular-dev.cjs
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings