registry  /  @kerebron/legacy-compat  /  0.8.1

@kerebron/legacy-compat@0.8.1

Packages from NPM can be directly accessed using https://cdn.jsdelivr.net.

AI Security Review

scanned 13d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Network and WASM-loading behavior is part of a browser editor compatibility bundle and requires caller-provided asset URLs or documented CDN use.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports the package and creates/uses the editor or ODT loader.
Impact
No malicious impact confirmed by static source inspection.
Mechanism
Browser editor bundle with user-invoked asset loading
Rationale
Static inspection shows a large bundled browser/editor compatibility package with expected fetch/WASM/runtime primitives, but no install-time execution, credential collection, unauthorized file writes, or exfiltration. Scanner Trojan Source and dangerous-capability hints appear to be false positives from bundled/minified runtime code.
Evidence
package.jsonREADME.mddist/kerebron.jsdist/kerebron.cjsdist/odt_parser.internal-PfZhgDYB.jsdist/odt_parser.internal-DGJtzBJe.cjs
Network endpoints5
cdn.jsdelivr.net/npm/@kerebron/wasm@latest/assetscdn.jsdelivr.net/npm/@kerebron/legacy-compat@latest/dist/kerebron.jscdn.jsdelivr.net/npm/@kerebron/legacy-compat@latest/dist/kerebron.csscdn.jsdelivr.net/npm/@kerebron/legacy-compat@latest/dist/kerebron-light.csslocalhost:8000/dist

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/kerebron.js uses fetch/XMLHttpRequest only for user-configured asset/WASM loading.
  • dist/kerebron.js contains eval in bundled Emscripten/tree-sitter runtime support, not standalone payload execution.
  • dist/kerebron.js writes only browser localStorage UI state keys for dev toolkit/menu order.
Evidence against
  • package.json has no lifecycle scripts; entrypoints are dist/kerebron.js and dist/kerebron.cjs.
  • Exports are editor compatibility APIs: CoreEditor, AdvancedEditorKit, ExtensionHistory, createAssetLoad.
  • README.md documents CDN/browser usage and @kerebron/wasm asset loading.
  • Unicode control scan found no Trojan Source bidi/invisible characters in package entrypoints.
  • No credential/env harvesting, persistence, destructive filesystem writes, or exfiltration endpoints found.
Behavioral surface
Source
ChildProcessEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 2.21 MB of source, external domains: code.google.com, github.com, prosemirror.net, www.w3.org

Source & flagged code

3 flagged · loading source
dist/kerebron.cjsView file
16contains invisible/control Unicode U+2060 (word joiner) `),r=[],a=0,o=0;for(let e of n)r.push({nodeIdx:t,targetRow:o,targetCol:0,targetPos:a}),o++,a+=e.length+1,t+=e.length+1;return{content:e,rawTextMap:r}}function debounce$1(e,t){let n;return(...r)=>{clearTimeout(n),n=setTimeout(()=>e(...r),t)}
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/kerebron.cjsView on unpkg · L16
Trigger-reachable chain: manifest.main -> dist/kerebron.cjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/kerebron.cjsView on unpkg
26${t}`)}let r=e.clone();try{n=await WebAssembly.compileStreaming(e)}catch(e){console.error(`wasm streaming compile failed:`,e),console.error(`falling back to ArrayBuffer instantiati... L27: ${JSON.stringify(a,null,2)}`),Error(`Language.load failed: no language function found in Wasm file`);return new e(INTERNAL,r[o]())}};async function Module2(moduleArg={}){var module... L28: `)[0],s=o.match(QUERY_WORD_REGEX)?.[0]??``;switch(C._free(r),e){case QueryErrorKind.Syntax:throw new QueryError(QueryErrorKind.Syntax,{suffix:`${a}: '${o}'...`},a,0);case QueryErro...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/kerebron.cjsView on unpkg · L26

Findings

2 Critical2 Medium5 Low
CriticalTrojan Source Unicodedist/kerebron.cjs
CriticalTrigger Reachable Dangerous Capabilitydist/kerebron.cjs
MediumNetwork
MediumStructural Risk Force Deep Review
LowEvaldist/kerebron.cjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings