registry  /  @opengis/fastify-table  /  2.5.4

@opengis/fastify-table@2.5.4

core-plugins

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found by static inspection. Suspicious primitives are runtime backend features aligned with a Fastify CRUD/auth/file-management package.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports/registers the Fastify plugin or runs documented scripts/routes.
Impact
No evidence of install-time execution, credential harvesting, persistence, unconsented agent mutation, or hardcoded exfiltration.
Mechanism
Runtime web server, database, proxy, upload, and metrics functionality.
Rationale
The package contains broad backend capabilities, but inspected source shows them as runtime, user-configured Fastify application features rather than malware. No lifecycle install hook, foreign AI-agent control-surface mutation, secret exfiltration, remote payload loading, or destructive persistence was found.
Evidence
package.jsonREADME.mddist/index.jsdist/config.jsdist/functions.jsdist/server/plugins/metric/loggerSystem.jsdist/server/plugins/policy/xssInjection.jsdist/server/plugins/auth/funcs/verifyPassword.jsdist/server/plugins/file/uploadMultiPart.jsdist/server/plugins/upload/startUpload.jsdist/server/plugins/upload/uploadChunk.jsdist/server/routes/auth/controllers/euSign/authByData.js
Network endpoints2
id.softpro.uansdi.gov.ua

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Runtime proxying in dist/index.js forwards requests to configured config.proxy targets.
  • Runtime system metrics endpoint in dist/server/plugins/metric/loggerSystem.js runs fixed command top -b -n 1 on non-Windows.
  • Runtime file/upload helpers write user uploads under configured storage paths.
Evidence against
  • package.json has no install/postinstall/prepare hook; prepublishOnly only runs build before publishing.
  • dist/index.js is a Fastify plugin registering CRUD/auth/upload/proxy routes; network targets are config-driven runtime behavior.
  • dist/config.js reads local config/env into application config but does not exfiltrate secrets.
  • dist/server/plugins/policy/xssInjection.js only contains XSS signature strings; no eval execution.
  • No AI-agent control-surface files or lifecycle writes found.
  • README.md describes a backend toolkit for Fastify, CRUD, auth, PostgreSQL, Redis, and migrations.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 353 file(s), 818 KB of source, external domains: accounts.google.com, cdn.softpro.ua, id.softpro.ua, nsdi.gov.ua, www.w3.org

Source & flagged code

3 flagged · loading source
dist/server/plugins/auth/funcs/verifyPassword.jsView file
27patternName = generic_password severity = medium line = 27 matchedText = await pg...d]);
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/server/plugins/auth/funcs/verifyPassword.jsView on unpkg · L27
dist/server/plugins/policy/xssInjection.jsView file
23'\\x', L24: 'eval(', L25: 'onmouseover=',
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/server/plugins/policy/xssInjection.jsView on unpkg · L23
dist/functions.jsView file
183return; L184: const { uid } = config?.auth?.disable || process.env.NODE_ENV !== "admin" L185: ? { uid: "1" } ... L233: format: row.format, L234: data: row.data, L235: })); ... L401: ...acc1, L402: ...JSON.parse(readFileSync(`locales/${curr.name}/${file.name}`, "utf-8").replace(/[\u200B-\u200D\uFEFF]/g, "")), L403: }), {});
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/functions.jsView on unpkg · L183

Findings

3 Medium7 Low
MediumSecret Patterndist/server/plugins/auth/funcs/verifyPassword.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/server/plugins/policy/xssInjection.js
LowWeak Cryptodist/functions.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings