registry  /  @module-federation/vite  /  1.17.1

@module-federation/vite@1.17.1

Vite plugin for Module Federation

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The only install-time concern is the `prepare` lifecycle command invoking Husky for git/local-style installs. Runtime remote loading is a declared Module Federation feature, not a package-controlled endpoint.

Static reason
No blocking static signals were detected.
Trigger
Installing from a source/git/local context that runs `prepare`, or configuring and loading a remote SSR federation entry.
Impact
May create VCS-hook setup in the current project during `prepare`; configured remotes can supply code intended for federation execution.
Mechanism
Husky setup command; user-configured remote HTTP fetch and VM module evaluation.
Rationale
No concrete malware behavior was found. The prepare-only Husky lifecycle command is a policy-defined non-blocking install-hook risk, so this should warn rather than block.
Evidence
package.jsonlib/ssrEntryLoader-D_sUES94.jslib/ssrVmStrategy-By_N71Dl.jslib/index.jslib/pluginDts-CGDIZCsD.js

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` defines `prepare: husky install`, a VCS-hook setup command that can run for git/local installs.
  • `lib/ssrEntryLoader-D_sUES94.js` fetches configured remote SSR manifests/modules; `lib/ssrVmStrategy-By_N71Dl.js` evaluates their ESM graph with Node VM APIs.
Evidence against
  • No `preinstall`, `install`, or `postinstall` hook is present.
  • Packaged files contain no Husky configuration or hidden payload; package root contains only docs, manifest, and `lib/`.
  • Remote network loading is explicit Module Federation functionality, bounded by user-configured remote entries and fetch timeouts.
  • No credential harvesting, shell execution, destructive filesystem behavior, or unsolicited network endpoint was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 398 KB of source, external domains: www.w3schools.com

Source & flagged code

1 flagged · loading source
lib/index.jsView file
236], ...VITE_DEFAULT_ASSET_TYPES].join("|")})(?:[?#].*)?$`, "i"); L237: function isAssetLikeImport(source) { L238: return ASSET_LIKE_IMPORT_RE.test(source);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/index.jsView on unpkg · L236

Findings

4 Medium5 Low
MediumDynamic Requirelib/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings