registry  /  @kerebron/legacy-compat  /  0.8.3

@kerebron/legacy-compat@0.8.3

Packages from NPM can be directly accessed using https://cdn.jsdelivr.net.

AI Security Review

scanned 13d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The risky primitives are package-aligned browser editor and wasm-loader behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports the editor bundle or calls createAssetLoad/ODT/tree-sitter features.
Impact
No unauthorized install-time, import-time, credential, filesystem, or exfiltration behavior found.
Mechanism
benign bundled editor, wasm loading, and UI state persistence
Rationale
Static inspection shows a bundled browser editor compatibility package with wasm/tree-sitter loaders and documented CDN asset loading, but no unconsented lifecycle execution or data theft. Scanner flags for network, eval, and invisible Unicode are explained by package functionality and benign bundled code context.
Evidence
package.jsonREADME.mddist/kerebron.jsdist/kerebron.cjsdist/odt_parser.internal-DGJtzBJe.cjsdist/__vite-browser-external-BXJKwL9l.js
Network endpoints2
cdn.jsdelivr.net/npm/@kerebron/wasm@latest/assetscdn.jsdelivr.net/npm/@kerebron/legacy-compat@latest/dist/kerebron.js

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall scripts and only exports dist JS/CSS entrypoints.
    • dist/kerebron.js fetch usage is browser/wasm asset loading, including createAssetLoad(base)(name) from caller-supplied asset base.
    • dist/kerebron.js eval occurs inside bundled Emscripten/web-tree-sitter wasm glue for EM_ASM/EM_JS handling, not obfuscated remote code execution.
    • dist/kerebron.js localStorage usage stores editor/dev-toolkit snapshots and toolbar order only.
    • Unicode control match is a zero-width character in an editor insertion string, not hidden control-flow/source spoofing.
    • No credential/env harvesting, exfiltration endpoint, persistence, destructive behavior, or AI-agent control-surface writes found.
    Behavioral surface
    Source
    ChildProcessEvalFilesystemNetwork
    Supply chain
    HighEntropyStringsMinifiedObfuscatedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 8 file(s), 2.22 MB of source, external domains: code.google.com, github.com, prosemirror.net, www.w3.org

    Source & flagged code

    3 flagged · loading source
    dist/kerebron.cjsView file
    16contains invisible/control Unicode U+2060 (word joiner) `),r=[],a=0,o=0;for(let e of n)r.push({nodeIdx:t,targetRow:o,targetCol:0,targetPos:a}),o++,a+=e.length+1,t+=e.length+1;return{content:e,rawTextMap:r}}function debounce$1(e,t){let n;return(...r)=>{clearTimeout(n),n=setTimeout(()=>e(...r),t)}
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/kerebron.cjsView on unpkg · L16
    Trigger-reachable chain: manifest.main -> dist/kerebron.cjs Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/kerebron.cjsView on unpkg
    26${t}`)}let r=e.clone();try{n=await WebAssembly.compileStreaming(e)}catch(e){console.error(`wasm streaming compile failed:`,e),console.error(`falling back to ArrayBuffer instantiati... L27: ${JSON.stringify(a,null,2)}`),Error(`Language.load failed: no language function found in Wasm file`);return new e(INTERNAL,r[o]())}};async function Module2(moduleArg={}){var module... L28: `)[0],s=o.match(QUERY_WORD_REGEX)?.[0]??``;switch(C._free(r),e){case QueryErrorKind.Syntax:throw new QueryError(QueryErrorKind.Syntax,{suffix:`${a}: '${o}'...`},a,0);case QueryErro...
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/kerebron.cjsView on unpkg · L26

    Findings

    2 Critical2 Medium5 Low
    CriticalTrojan Source Unicodedist/kerebron.cjs
    CriticalTrigger Reachable Dangerous Capabilitydist/kerebron.cjs
    MediumNetwork
    MediumStructural Risk Force Deep Review
    LowEvaldist/kerebron.cjs
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings