registry  /  @module-federation/vite  /  1.16.15

@module-federation/vite@1.16.15

Vite plugin for Module Federation

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package can fetch and execute configured module-federation SSR remotes, which is its stated runtime purpose and requires host-provided remote URLs.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A host enables the exported SSR entry loader and configures a remote entry URL.
Impact
A trusted host intentionally loading an untrusted remote can execute that remote's code; no unsolicited execution or hard-coded attacker destination was found.
Mechanism
Fetches configured SSR remote modules, optionally caches them in node_modules/.ssr-cache, then imports or evaluates them.
Rationale
The flagged network, dynamic import, VM, and temporary-file behavior implements explicit module-federation SSR remote loading from host-configured URLs. Source inspection found no install-time attack, credential theft, persistence, destructive action, or package-controlled exfiltration.
Evidence
package.jsonlib/index.jslib/utils/ssrEntryLoader.jslib/ssrVmStrategy-DtpfkCw1.jsnode_modules/.ssr-cache

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json only has a prepare hook; no preinstall/install/postinstall hook.
    • lib/index.js exports Vite plugin functionality and performs build-output rewrites only.
    • lib/utils/ssrEntryLoader.js fetches and imports SSR remotes supplied by federation configuration, not hard-coded endpoints.
    • lib/ssrVmStrategy-DtpfkCw1.js uses vm.SourceTextModule solely for configured remote SSR module graphs.
    • No child-process execution, credential harvesting, exfiltration endpoint, or AI-agent config mutation found.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 4 file(s), 309 KB of source, external domains: www.w3schools.com

    Source & flagged code

    2 flagged · loading source
    lib/ssrVmStrategy-DtpfkCw1.jsView file
    15* strategy) as a fallback when no instance shares the package. L16: * 3. Plain host `import(specifier)` for everything else (node builtins, L17: * packages the remote expects the host to provide).
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    lib/ssrVmStrategy-DtpfkCw1.jsView on unpkg · L15
    lib/index.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @module-federation/vite@1.16.14 matchedIdentity = npm:QG1vZHVsZS1mZWRlcmF0aW9uL3ZpdGU:1.16.14 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
    High
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    lib/index.jsView on unpkg

    Findings

    1 High4 Medium5 Low
    HighPrevious Version Dangerous Deltalib/index.js
    MediumDynamic Requirelib/ssrVmStrategy-DtpfkCw1.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings