registry  /  @ibgib/core-gib  /  0.1.65

@ibgib/core-gib@0.1.65

ibgib core functionality, including base architecture for witnesses, spaces, apps, robbots, etc., as well as shared utility functions. Node v19+ needed for heavily-used isomorphic webcrypto hashing consumed in both node and browsers.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Runtime sync features can send application data only to endpoints supplied through peer configuration, and server startup is explicit.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer explicitly instantiates and connects a sync peer or calls the HTTP adapter start() method.
Impact
No install-time, import-time, credential-harvesting, persistence, or remote-payload behavior found.
Mechanism
Caller-configured HTTP, SSE, and WebSocket synchronization.
Rationale
Static hints reflect legitimate, explicitly invoked synchronization and a benign secret type declaration. Source inspection found no concrete malicious chain or automatic execution path.
Evidence
package.jsondist/index.mjsdist/common/secret/secret-types.mjssrc/sync/sync-peer/sync-peer-http-sender/sync-peer-http-sender-v1.mtssrc/sync/sync-peer/sync-peer-websocket/sync-peer-websocket-sender/sync-peer-websocket-sender-v1.mtssrc/sync/sync-peer/sync-peer-http-receiver/sync-http-node-adapter.mts

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, prepare, or bin hook.
    • dist/index.mjs is empty and performs no import-time work.
    • dist/common/secret/secret-types.mjs only defines a password enum.
    • No active child_process, eval, dynamic require, or filesystem import was found.
    • Sync network calls use caller-supplied route fields rather than hardcoded endpoints.
    • HTTP server startup is an explicit start() method with configured port/TLS options.
    Behavioral surface
    Source
    ChildProcessNetworkWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 428 file(s), 4.33 MB of source, external domains: developer.mozilla.org, ionic.io, www.w3.org

    Source & flagged code

    3 flagged · loading source
    dist/common/secret/secret-types.mjsView file
    5patternName = generic_password severity = medium line = 5 matchedText = password...rd',
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/common/secret/secret-types.mjsView on unpkg · L5
    dist/keystone/keystone-types.d.mtsView file
    209patternName = generic_password severity = medium line = 209 matchedText = change_p...rd";
    Medium
    Secret Pattern

    Hardcoded password in dist/keystone/keystone-types.d.mts

    dist/keystone/keystone-types.d.mtsView on unpkg · L209
    src/common/secret/secret-types.mtsView file
    10patternName = generic_password severity = medium line = 10 matchedText = password...ype,
    Medium
    Secret Pattern

    Hardcoded password in src/common/secret/secret-types.mts

    src/common/secret/secret-types.mtsView on unpkg · L10

    Findings

    4 Medium3 Low
    MediumSecret Patterndist/common/secret/secret-types.mjs
    MediumNetwork
    MediumSecret Patterndist/keystone/keystone-types.d.mts
    MediumSecret Patternsrc/common/secret/secret-types.mts
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings