registry  /  @dofe/infra-common  /  0.1.87

@dofe/infra-common@0.1.87

Cross-project NestJS runtime — decorators, guards, interceptors, filters, pipes, middleware, config

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a compiled NestJS common library with decorators, guards, config validation, encryption, and utility exports; sensitive-looking strings are schema keys or environment variable names.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports library or explicitly calls config/helper APIs at runtime.
Impact
No evidence of credential harvesting, exfiltration, persistence, destructive behavior, or unconsented install-time mutation.
Mechanism
Runtime config validation and framework helper utilities
Rationale
Static source inspection shows legitimate framework/configuration utilities; scanner hits map to environment/config schema handling and benign crypto use. There is no lifecycle execution, automatic outbound networking, exfiltration, destructive action, or AI-agent control hijack.
Evidence
package.jsondist/index.jsdist/config/configuration.jsdist/config/env-config.service.jsdist/config/validation/keys.validation.jsdist/encryption.service.jsdist/utils/audit-signature.util.jsdist/decorators/cache/cache.decorator.js

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/config/configuration.js can read consumer config.local.yaml and keys/config.json only when initConfig/initKeysConfig/getSecretConfigByKey are called.
  • dist/config/env-config.service.js exposes env-derived config getters, including local/internal URLs and tokens.
  • dist/config/validation/keys.validation.js contains credential field schemas such as private_key/apiKey/accessKey, not embedded secret values.
Evidence against
  • package.json has no preinstall/install/postinstall hooks and no bin entry.
  • dist/index.js only re-exports NestJS modules/utilities; no install-time mutation or network action found.
  • No child_process, eval/vm/Function, native binary loading, broad filesystem writes, or AI-agent control-surface writes found.
  • Crypto use is package-aligned: AES-256-GCM encryption, HMAC-SHA256 audit signatures, and MD5 only for cache/feature bucketing keys.
  • Network strings are config schemas/examples/default localhost values; no exfiltration endpoint or automatic outbound request found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 93 file(s), 430 KB of source, external domains: ipinfo.io

Source & flagged code

3 flagged · loading source
dist/config/validation/keys.validation.jsView file
37patternName = private_key_rsa severity = critical line = 37 matchedText = .refine(...), {
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/config/validation/keys.validation.jsView on unpkg · L37
37patternName = private_key_rsa severity = critical line = 37 matchedText = .refine(...), {
Critical
Secret Pattern

RSA private key in dist/config/validation/keys.validation.js

dist/config/validation/keys.validation.jsView on unpkg · L37
dist/decorators/cache/cache.decorator.jsView file
32* }) L33: * async updateUser(userId: string, data: any) { ... } L34: * ```
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/decorators/cache/cache.decorator.jsView on unpkg · L32

Findings

2 Critical1 Medium6 Low
CriticalCritical Secretdist/config/validation/keys.validation.js
CriticalSecret Patterndist/config/validation/keys.validation.js
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/decorators/cache/cache.decorator.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License