registry  /  @dofe/infra-utils  /  0.1.85

@dofe/infra-utils@0.1.85

Pure function utilities — crypto, file, string, array, object, pagination, logging; zero NestJS dependency

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a compiled CommonJS utility library with user-invoked HTTP, env loading, logging, validation, crypto, and masking helpers.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing or calling exported utility functions
Impact
No unauthorized install-time/import-time execution, exfiltration, persistence, or destructive behavior identified.
Mechanism
caller-directed utility functions
Rationale
The suspicious signals are package-aligned utilities: fetch is caller-directed, environment access is for env/config helpers, and secret-looking strings are masking rule names. Static inspection found no concrete malicious chain or unconsented lifecycle behavior.
Evidence
package.jsondist/index.jsdist/http-client.jsdist/load-env.util.jsdist/logger.util.jsdist/sensitive-data-masker.util.jsdist/skill-validator.util.jsdist/ssrf-protection.util.jslogs/* when getWinstonConfig('file'|'both') is usedcaller-specified env files when loadEnv/loadEnvFile is used

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks; only build/typecheck/clean/postbuild scripts.
    • dist/index.js only re-exports utility modules; no import-time network or process execution observed.
    • dist/http-client.js wraps caller-supplied fetch URLs and has no hardcoded endpoint.
    • dist/load-env.util.js reads caller-specified env files under PROJECT_ROOT/cwd and does not exfiltrate values.
    • dist/sensitive-data-masker.util.js contains field names like token/password for masking, not embedded secrets.
    • No child_process, eval/Function, hardcoded URLs, credential harvesting, or AI-agent control-surface writes found by source inspection.
    Behavioral surface
    Source
    CryptoEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStrings
    Manifest
    NoLicense
    scanned 33 file(s), 146 KB of source

    Source & flagged code

    2 flagged · loading source
    dist/sensitive-data-masker.util.jsView file
    41patternName = generic_password severity = medium line = 41 matchedText = password...rd',
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/sensitive-data-masker.util.jsView on unpkg · L41
    42patternName = generic_password severity = medium line = 42 matchedText = pwd: '...
    Medium
    Secret Pattern

    Hardcoded password in dist/sensitive-data-masker.util.js

    dist/sensitive-data-masker.util.jsView on unpkg · L42

    Findings

    4 Medium4 Low
    MediumSecret Patterndist/sensitive-data-masker.util.js
    MediumNetwork
    MediumEnvironment Vars
    MediumSecret Patterndist/sensitive-data-masker.util.js
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowNo License