AI Security Review
scanned 2h ago · by lpm-firewall-aiThe only install-time concern is the `prepare` lifecycle command invoking Husky for git/local-style installs. Runtime remote loading is a declared Module Federation feature, not a package-controlled endpoint.
Static reason
No blocking static signals were detected.
Trigger
Installing from a source/git/local context that runs `prepare`, or configuring and loading a remote SSR federation entry.
Impact
May create VCS-hook setup in the current project during `prepare`; configured remotes can supply code intended for federation execution.
Mechanism
Husky setup command; user-configured remote HTTP fetch and VM module evaluation.
Rationale
No concrete malware behavior was found. The prepare-only Husky lifecycle command is a policy-defined non-blocking install-hook risk, so this should warn rather than block.
Evidence
package.jsonlib/ssrEntryLoader-D_sUES94.jslib/ssrVmStrategy-By_N71Dl.jslib/index.jslib/pluginDts-CGDIZCsD.js
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `package.json` defines `prepare: husky install`, a VCS-hook setup command that can run for git/local installs.
- `lib/ssrEntryLoader-D_sUES94.js` fetches configured remote SSR manifests/modules; `lib/ssrVmStrategy-By_N71Dl.js` evaluates their ESM graph with Node VM APIs.
Evidence against
- No `preinstall`, `install`, or `postinstall` hook is present.
- Packaged files contain no Husky configuration or hidden payload; package root contains only docs, manifest, and `lib/`.
- Remote network loading is explicit Module Federation functionality, bounded by user-configured remote entries and fetch timeouts.
- No credential harvesting, shell execution, destructive filesystem behavior, or unsolicited network endpoint was found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcelib/index.jsView file
236], ...VITE_DEFAULT_ASSET_TYPES].join("|")})(?:[?#].*)?$`, "i");
L237: function isAssetLikeImport(source) {
L238: return ASSET_LIKE_IMPORT_RE.test(source);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
lib/index.jsView on unpkg · L236Findings
4 Medium5 Low
MediumDynamic Requirelib/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings