AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The only network-capable path is explicit caller invocation of configuration loading with a supplied path/URL.
Decision evidence
public snapshot- `dist/formular-dev.mjs` exposes `loadJson(path)`, which can fetch a caller-supplied JSON configuration URL at runtime.
- `dist/formular-dev.mjs` conditionally reads a caller-supplied local path in Node, but the bundled browser external shim exports an empty object.
- `package.json` has no `preinstall`, `install`, `postinstall`, `prepare`, or `bin` entry.
- Entrypoints are only the library bundles in `dist/formular-dev.cjs` and `dist/formular-dev.mjs`.
- No credential harvesting, environment access, shell/process execution, filesystem writes, or destructive APIs were found in executable bundles.
- Runtime network use is confined to explicit `loadJson(path)` configuration loading; schema URLs are identifiers, not observed requests.
- Type declarations document a form-validation library and caller-provided submission handler/configuration APIs.
Source & flagged code
4 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/formular-dev.cjsView on unpkgHardcoded password in dist/types/src/core/framework/common/common.input.types.d.ts
dist/types/src/core/framework/common/common.input.types.d.tsView on unpkg · L15