registry  /  @chenwy_24/components  /  0.1.5

@chenwy_24/components@0.1.5

Vue 3 component library with Apple-style design

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The rich-text editor can POST user-selected uploads only when a consumer configures server upload mode and an upload URL.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer renders RichTextEditor and configures uploadMethod/uploadAction.
Impact
Selected editor files may be sent to the consumer-selected endpoint; no package-owned endpoint or automatic exfiltration is present.
Mechanism
Consumer-configured file upload via fetch.
Rationale
Direct inspection shows a bundled Vue UI library with an explicitly consumer-configured editor upload feature, not install-time or covert attack behavior. Scanner network, environment, and Unicode signals are attributable to normal browser/editor dependencies and comments.
Evidence
package.jsondist/index.jsdist/RichTextEditor-DVzxjZi8.jsdist/use-tiptap-editor-CNZqlZNJ.jsdist/index-BtfvaBW2.jsdist/index.cjsdist/use-tiptap-editor-CDtxAVvg.cjs

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle hooks or bin entrypoints.
    • dist/index.js only exports Vue component-library modules.
    • RichTextEditor upload defaults to base64 and only uses fetch with consumer-supplied uploadAction.
    • No child_process, filesystem, eval, Function, WebSocket, or credential-harvesting APIs found.
    • Reported Unicode is a ProseMirror comment U+200B and Tippy/linkify emoji U+200D text, not obfuscation.
    • Dynamic imports load package chunks or declared vxe-table dependency.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsNetwork
    Supply chain
    HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 12 file(s), 2.49 MB of source, external domains: atomiks.github.io, developer.mozilla.org, example.com, github.com, prosemirror.net, undraw.co, w3c.github.io, www.w3.org

    Source & flagged code

    2 flagged · loading source
    dist/use-tiptap-editor-CNZqlZNJ.jsView file
    1556contains invisible/control Unicode U+200B (zero width space) Get the _n_<U+200B>th outgoing edge from this node in the finite
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/use-tiptap-editor-CNZqlZNJ.jsView on unpkg · L1556
    Trigger-reachable chain: manifest.module -> dist/index.js -> dist/index-BtfvaBW2.js -> dist/use-tiptap-editor-CNZqlZNJ.js Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/use-tiptap-editor-CNZqlZNJ.jsView on unpkg

    Findings

    2 Critical3 Medium5 Low
    CriticalTrojan Source Unicodedist/use-tiptap-editor-CNZqlZNJ.js
    CriticalTrigger Reachable Dangerous Capabilitydist/use-tiptap-editor-CNZqlZNJ.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings