registry  /  @clerk/ui  /  1.25.4

@clerk/ui@1.25.4

Internal package that contains the UI components for the Clerk frontend SDKs

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Network use is tied to Clerk UI features and an explicit Google One Tap authentication flow; no install-time execution, harvesting, persistence, or exfiltration was identified.

Static reason
One or more suspicious static signals were detected.
Trigger
Application imports or renders Clerk UI features; Google script loading requires the One Tap flow.
Impact
No unconsented local mutation or concrete malicious behavior established.
Mechanism
Browser UI rendering, optional Clerk API calls, and conditional Google Identity Services script loading.
Rationale
Static hints are explained by a browser UI bundle, normal authentication integrations, and Rspack runtime bootstrap code. Source inspection found no concrete malicious chain or install-time attack behavior.
Evidence
package.jsonregister/index.mjsregister/index.cjsdist/index.jsdist/entry.jsdist/server.jsdist/ui.browser.jsdist/utils/one-tap.jsdist/ui.shared.browser.jsdist/components/GoogleOneTap/one-tap-start.jsdist/components/devPrompts/KeylessPrompt/use-revalidate-environment.jsdist/components/SessionTasks/tasks/TaskChooseOrganization/CreateOrganizationScreen.js
Network endpoints1
accounts.google.com/gsi/client

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall lifecycle hooks.
    • `dist/index.js`, `dist/entry.js`, and `dist/server.js` only export the Clerk UI API.
    • `register/index.mjs` and `register/index.cjs` only register React modules on `globalThis` for bundle sharing.
    • No `child_process`, `process.env`, filesystem-write, `eval`, or VM execution occurrences were found.
    • `dist/utils/one-tap.js` loads Google Identity Services only when the user-facing One Tap flow initializes.
    • `Function("return this")` in browser bundles is standard Rspack global-object bootstrap code.
    Behavioral surface
    Source
    ChildProcessCryptoNetworkShellWebSocket
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1,516 file(s), 9.41 MB of source, external domains: accounts.google.com, api.mainnet-beta.solana.com, clerk.com, dashboard.clerk.com, fonts.googleapis.com, fonts.gstatic.com, github.com, go.clerk.com, img.clerk.com, img.clerkstage.dev, img.lclclerk.com, reactjs.org, schemas.xmlsoap.org, solana.com, solanamobile.com, stripe.com, www.w3.org

    Source & flagged code

    3 flagged · loading source
    dist/ui-common_ui_2501bd_1.25.4.jsView file
    14patternName = generic_password severity = medium line = 14 matchedText = `}),(0,o...i7)`
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/ui-common_ui_2501bd_1.25.4.jsView on unpkg · L14
    dist/ui-common_ui_928e75_1.25.4.jsView file
    1patternName = generic_password severity = medium line = 1 matchedText = "use str...}]);
    Medium
    Secret Pattern

    Hardcoded password in dist/ui-common_ui_928e75_1.25.4.js

    dist/ui-common_ui_928e75_1.25.4.jsView on unpkg · L1
    dist/ui-common_ui_c5169b_1.25.4.jsView file
    14patternName = generic_password severity = medium line = 14 matchedText = `}),(0,o...i7)`
    Medium
    Secret Pattern

    Hardcoded password in dist/ui-common_ui_c5169b_1.25.4.js

    dist/ui-common_ui_c5169b_1.25.4.jsView on unpkg · L14

    Findings

    6 Medium4 Low
    MediumSecret Patterndist/ui-common_ui_2501bd_1.25.4.js
    MediumNetwork
    MediumProtestware
    MediumStructural Risk Force Deep Review
    MediumSecret Patterndist/ui-common_ui_928e75_1.25.4.js
    MediumSecret Patterndist/ui-common_ui_c5169b_1.25.4.js
    LowScripts Present
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings