The user-invoked CLI starts an unauthenticated static HTTP server. Its request path is not normalized or checked to remain under `dist`, enabling traversal to files readable by the CLI process.
Static reason
No blocking static signals were detected.
Trigger
User runs `j2`; a local or network-reachable client requests a traversal path such as `/../../...`.
Impact
May disclose arbitrary readable local files to an HTTP client if traversal requests reach the server.
Mechanism
Path traversal through static-file path joining.
Rationale
No evidence indicates malicious install-time behavior, payload staging, or exfiltration. The source does contain a concrete arbitrary-file-read path traversal in the user-invoked HTTP server, so it warrants a warning rather than a block.
Evidence
package.jsondist/cli.mjsdist/index.htmldist/sw.jsdist/assets/ServerContext--WJRCsZm.js