registry  /  @hachej/boring-core  /  0.1.73

@hachej/boring-core@0.1.73

Foundation package for boring-ui-v2 apps: DB, auth, config, HTTP app factory, and frontend app shell.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Published server code provides opt-in application, workspace, mail, and payment features; it does not execute on install.

Static reason
No blocking static signals were detected.
Trigger
Explicit consumer import and server/runtime configuration; development server startup for dynamic Vite loading.
Impact
No unconsented install-time mutation, credential harvesting, remote payload execution, or foreign AI-agent control-surface write found.
Mechanism
Application framework routes, scoped workspace provisioning, configured mail delivery, and payment checkout integration.
Rationale
Source inspection shows a normal application foundation package with user-configured server integrations. Scanner hits correspond to explicit development tooling, environment-based configuration, and legitimate mail/payment requests rather than a concrete malicious chain.
Evidence
package.jsondist/app/server/index.jsdist/server/index.jsdist/chunk-DSENO5O4.js
Network endpoints3
api.resend.com/emailsapi.lemonsqueezy.com/v1/checkoutsapi.stripe.com/v1/checkout/sessions

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks.
    • dist/app/server/index.js only dynamically loads Vite in an explicit development-server function.
    • Filesystem operations create/read scoped workspace/frontend paths; server provisioning validates workspace IDs and prevents traversal.
    • Outbound requests target configured email/payment services or same-app API endpoints, not credential collection.
    Behavioral surface
    Source
    CryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 17 file(s), 593 KB of source, external domains: 127.0.0.1, api.lemonsqueezy.com, api.resend.com, api.stripe.com, calendly.com, fonts.googleapis.com, fonts.gstatic.com

    Source & flagged code

    1 flagged · loading source
    dist/app/server/index.jsView file
    975const apiTarget = `http://127.0.0.1:${apiPort}`; L976: const requireFromApp = createRequire(path3.join(appRoot, "package.json")); L977: const viteEntry = requireFromApp.resolve("vite");
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/app/server/index.jsView on unpkg · L975

    Findings

    3 Medium4 Low
    MediumDynamic Requiredist/app/server/index.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings