registry  /  @duro-app/ui  /  0.39.0

@duro-app/ui@0.39.0

AI Security Review

scanned 6h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Installation has no lifecycle execution, and the runtime bundle is a React UI component library without network, shell, filesystem, credential, or AI-agent control-surface behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports and renders UI components.
Impact
No confirmed unconsented mutation, exfiltration, remote execution, persistence, or destructive action.
Mechanism
UI rendering, form helpers, and optional local color-mode preference persistence.
Rationale
Static source inspection confirms a standard ESM React design-system package with no install-time hooks or concrete attack chain. Scanner findings are explained by UI demo text, benign localStorage preference persistence, and NODE_ENV production checks.
Evidence
package.jsonsrc/index.tssrc/components/Form/Form.stories.tsxsrc/components/ColorMode/ColorMode.tsxsrc/components/Table/Table.tsxdist/index.jssrc/platform.tssrc/platform.native.ts

Decision evidence

public snapshot
AI called this Clean at 99.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` contains no preinstall/install/postinstall/prepare hooks or `bin` entry.
    • `src/index.ts` only exports UI components and imports package CSS.
    • `dist/index.js` imports React and declared UI peer dependencies; no network, shell, filesystem, or dynamic loader APIs found.
    • `src/components/Form/Form.stories.tsx` contains only form validation/demo fields; the secret-pattern flag is a false positive.
    • `src/components/ColorMode/ColorMode.tsx` uses browser localStorage only for an explicit color-mode preference.
    • `process.env.NODE_ENV` in source/bundle is production-mode gating, not environment harvesting.
    Behavioral surface
    Source
    EnvironmentVars
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 238 file(s), 922 KB of source, external domains: docs.example.com, example.com, react.dev

    Source & flagged code

    1 flagged · loading source
    src/components/Form/Form.stories.tsxView file
    389patternName = generic_password severity = medium line = 389 matchedText = defaultV...1'}}
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    src/components/Form/Form.stories.tsxView on unpkg · L389

    Findings

    2 Medium3 Low
    MediumSecret Patternsrc/components/Form/Form.stories.tsx
    MediumEnvironment Vars
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings