registry  /  @opengis/fastify-table  /  2.4.19

@opengis/fastify-table@2.4.19

core-plugins

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The risky primitives are runtime Fastify application features: configured proxying, file upload/S3, email notifications, database migrations, and system metrics.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing/registering the Fastify plugin or explicitly running package scripts/routes.
Impact
No evidence of credential harvesting, install-time execution, persistence, destructive behavior, or hardcoded exfiltration.
Mechanism
Fastify backend plugin with configured database, auth, file, mail, proxy, and metrics features
Rationale
Static inspection shows a substantial Fastify CRUD/admin backend package with network, env, file, database, and child_process primitives tied to declared runtime functionality. I found no install-time payload, hidden downloader, exfiltration endpoint, credential theft, AI-agent control mutation, or other concrete malicious behavior.
Evidence
package.jsondist/index.jsdist/config.jsdist/server/plugins/policy/xssInjection.jsdist/server/plugins/auth/funcs/verifyPassword.jsdist/server/plugins/metric/loggerSystem.jsdist/server/plugins/auth/funcs/sendNotification.jsdist/server/plugins/file/uploadMultiPart.jsdist/script/dump.jsdist/script/migrate.jsconfig.json/data/local/config.json.env.env.local.env.<NODE_ENV>.env.<NODE_ENV>.locallog/dump/*.sql/data/local/<database>/files/*

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hooks; prepublishOnly only runs build before publishing.
    • dist/index.js exports a Fastify plugin and registers CRUD/auth/upload/proxy routes at runtime.
    • dist/config.js reads local config/env files for app configuration, with no exfiltration path found.
    • dist/server/plugins/policy/xssInjection.js contains string denylist entries including "eval(", not executable eval usage.
    • dist/server/plugins/metric/loggerSystem.js uses child_process exec only for a runtime system-metrics endpoint running top.
    • dist/server/plugins/auth/funcs/sendNotification.js and file/S3 modules use configured mail/S3 endpoints for package-aligned features.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 343 file(s), 807 KB of source, external domains: accounts.google.com, cdn.softpro.ua, id.softpro.ua, nsdi.gov.ua, www.w3.org

    Source & flagged code

    3 flagged · loading source
    dist/server/plugins/auth/funcs/verifyPassword.jsView file
    27patternName = generic_password severity = medium line = 27 matchedText = await pg...d]);
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/server/plugins/auth/funcs/verifyPassword.jsView on unpkg · L27
    dist/server/plugins/policy/xssInjection.jsView file
    23'\\x', L24: 'eval(', L25: 'onmouseover=',
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/server/plugins/policy/xssInjection.jsView on unpkg · L23
    dist/functions.jsView file
    183return; L184: const { uid } = config?.auth?.disable || process.env.NODE_ENV !== "admin" L185: ? { uid: "1" } ... L233: format: row.format, L234: data: row.data, L235: })); ... L401: ...acc1, L402: ...JSON.parse(readFileSync(`locales/${curr.name}/${file.name}`, "utf-8").replace(/[\u200B-\u200D\uFEFF]/g, "")), L403: }), {});
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/functions.jsView on unpkg · L183

    Findings

    3 Medium7 Low
    MediumSecret Patterndist/server/plugins/auth/funcs/verifyPassword.js
    MediumNetwork
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEvaldist/server/plugins/policy/xssInjection.js
    LowWeak Cryptodist/functions.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings