The user-invoked CLI exposes a static HTTP server. Its request-path handling permits traversal out of `distPath`, potentially serving readable local files to a network client.
Static reason
No blocking static signals were detected.
Trigger
Run `j2` or `npx @jean2/client`; request a traversal path from the listening HTTP server.
Impact
Potential disclosure of files readable by the invoking user; no install-time behavior or confirmed package-operated exfiltration.
Mechanism
Unvalidated path traversal into `fs.stat` and `fs.readFile`.
Rationale
The package is not malicious by source intent, but the CLI contains a concrete path-traversal file-disclosure vulnerability and listens without an explicit loopback host. Warn rather than block because execution is user-invoked and no malicious chain is present.
Evidence
package.jsondist/cli.mjsdist/assets/ServerContext-DsBcf-gz.jsdist/assets/AccountPanel-_yRWzxDS.jsREADME.md