registry  /  @lokvis/engine-image  /  0.2.2

@lokvis/engine-image@0.2.2

Lokvis Image Engine - Browser-native image processing via Canvas / createImageBitmap (MVP) with adapter for Squoosh WASM (future)

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 3 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
Network
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 32 file(s), 120 KB of source

Source & flagged code

1 flagged · loading source
dist/operations/watermark.jsView file
5* L6: * 修复 review 报告:原实现直接 `await fetch(params.image)`,攻击者可传任意 URL L7: * 让服务端发起请求,可能扫描内网(127.0.0.1 / 169.254.169.254 云元数据 / 私有网段)。
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/operations/watermark.jsView on unpkg · L5

Findings

1 High1 Medium1 Low
HighCloud Metadata Accessdist/operations/watermark.js
MediumNetwork
LowScripts Present