registry  /  @nuxt/devtools-nightly  /  4.0.0-alpha.7-29733168.b1eede7

@nuxt/devtools-nightly@4.0.0-alpha.7-29733168.b1eede7

The Nuxt DevTools gives you insights and transparency about your Nuxt App.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Optional development features operate on the active Nuxt project and can start local VS Code integration only when enabled or launched by the user.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User enables Nuxt DevTools features or launches its VS Code integration during development.
Impact
No credential harvesting, exfiltration, stealth persistence, or unconsented install-time mutation established.
Mechanism
User-invoked local development tooling and project-scoped file editing.
Rationale
The scanner signals are explained by a feature-rich Nuxt development tool and bundled third-party client code. Source inspection found no lifecycle execution, exfiltration, remote payload loading, destructive behavior, or AI-agent control-surface mutation.
Evidence
package.jsondist/module.mjsdist/shared/devtools-nightly.nEotcg1R.mjsdist/chunks/module-main.mjsdist/chunks/vscode.mjsdist/client/_nuxt/vendor/quicktype-core-ozubcbyl.js

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with high false-positive risk.
Evidence for block
  • Optional DevTools code can launch a local VS Code server or explicit VS Code tunnel.
  • Runtime asset/config tooling can write files within the Nuxt project or `~/.nuxt/devtools`.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook or bin entrypoint.
  • `dist/module.mjs` only re-exports the Nuxt module; no install-time execution path.
  • `dist/chunks/vscode.mjs` gates server/tunnel startup behind DevTools options and a user launch action.
  • `dist/chunks/module-main.mjs` scopes asset uploads to the configured public directory and rejects traversal.
  • AI-agent environment checks in `dist/shared/devtools-nightly.nEotcg1R.mjs` only detect environment context; no agent-config writes found.
  • Direct Unicode-control inspection found no bidi/invisible controls in `dist/client/_nuxt/vendor/quicktype-core-ozubcbyl.js`.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 109 file(s), 6.66 MB of source, external domains: api.nuxt.com, api.nuxtjs.org, bit.ly, code.visualstudio.com, developer.mozilla.org, developer.twitter.com, devfra.me, devtools.nuxt.com, esm.sh, github.com, image.nuxt.com, json-schema.org, jsonquerylang.org, next.vuex.vuejs.org, nitro.unjs.io, npms.io, nuxt.com, ogp.me, pinia.esm.dev, pinia.vuejs.org, quasar.dev, raw.githubusercontent.com, rolldown.rs, svelte.dev, unhead.harlanzw.com, vee-validate.logaretm.com, vscode.dev, vuejs.org, www.npmjs.com, www.w3.org

Source & flagged code

1 flagged · loading source
dist/client/_nuxt/vendor/quicktype-core-ozubcbyl.jsView file
90contains invisible/control Unicode U+FEFF (zero width no-break space) `};delete e.items,Object.assign(e,{type:n,source:t,end:[r]});break}default:{let r=`indent`in e?e.indent:-1,i=`end`in e&&Array.isArray(e.end)?e.end.filter(e=>e.type===`space`||e.type===`comment`||e.type===`newline`):[];for(let t of Object.ke
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/client/_nuxt/vendor/quicktype-core-ozubcbyl.jsView on unpkg · L90

Findings

1 Critical5 Medium6 Low
CriticalTrojan Source Unicodedist/client/_nuxt/vendor/quicktype-core-ozubcbyl.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings