registry  /  @iyulab/u-widgets  /  0.13.0

@iyulab/u-widgets@0.13.0

Declarative, data-driven widget system for visualization and input

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package has a browser-side URL execution sink in global/action-widget navigation. No package-initiated network, install-time execution, credential harvesting, or persistence behavior was found.

Static reason
One or more suspicious static signals were detected.
Trigger
A user clicks a `navigate` action from a spec containing an attacker-controlled `url`.
Impact
An untrusted `javascript:` URL may execute in the browser context.
Mechanism
Unvalidated action URL passed to `window.open`.
Rationale
No malicious install-time, exfiltration, persistence, or remote-payload chain was found. The unvalidated browser navigation sink is a real security risk when specs are untrusted, so warn rather than mark clean.
Evidence
package.jsondist/u-widgets.jsdist/u-widgets.js.mapschema/u-widget.schema.jsondist/u-widgets-forms.jsdist/u-widgets-math.js

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/u-widgets.js.map` source `u-widget.ts` passes `action.url` directly to `window.open` for `navigate` actions.
  • `dist/u-widgets.js.map` source `schema.ts` validates action label/action types but does not validate URL protocols.
  • A consumer-provided `javascript:` URL can be activated by a user clicking a global/action-widget navigate button.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hooks or bin entrypoint.
  • Shipped bundles contain no fetch, XHR, WebSocket, env, cookie, storage, child-process, eval, or dynamic-import primitives.
  • `uw-form.ts` emits form data as DOM events only; it does not transmit it.
  • Citation, markdown, image, video, and gallery URL paths explicitly reject javascript/data/vbscript schemes.
  • The scanner's forms "secret" match is the normal HTML input type `password` in `dist/u-widgets-forms.js`.
Behavioral surface
Source
ChildProcess
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 201 KB of source, external domains: developer.mozilla.org, example.com, github.com, lit.dev, placehold.co

Source & flagged code

1 flagged · loading source
dist/u-widgets-forms.jsView file
7patternName = generic_password severity = medium line = 7 matchedText = password...rd",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/u-widgets-forms.jsView on unpkg · L7

Findings

1 Medium3 Low
MediumSecret Patterndist/u-widgets-forms.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings