registry  /  @opengis/fastify-table  /  2.5.1

@opengis/fastify-table@2.5.1

core-plugins

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a backend Fastify plugin with runtime database migrations, auth, upload, proxy, logging, and metrics features.

Static reason
One or more suspicious static signals were detected.
Trigger
Application imports/registers the Fastify plugin or runs explicit dump/migrate scripts.
Impact
Expected backend framework behavior; no unconsented install-time execution, credential harvesting, or exfiltration identified.
Mechanism
config-driven server routes, local config/env loading, database/file/log operations
Rationale
Static inspection found suspicious primitives, but they are tied to normal server features such as metrics, uploads, migrations, OAuth, and configurable proxying, with no lifecycle-triggered persistence or exfiltration. The prepublishOnly script is publisher-side and there is no install-time attack path.
Evidence
package.jsondist/index.jsdist/config.jsdist/functions.jsdist/server/plugins/metric/loggerSystem.jsdist/server/plugins/upload/startUpload.jsdist/server/routes/auth/controllers/euSign/authByData.jsconfig.json/data/local/config.json.env.local.env.${NODE_ENV}.env.${NODE_ENV}.localdist/log/migration/*.sqldist/log/migration/*.jsonlog/dump/*.sql
Network endpoints4
id.softpro.uansdi.gov.uacdn.tailwindcss.comcdn.softpro.ua

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/server/plugins/metric/loggerSystem.js runs fixed command `top -b -n 1` for runtime metrics.
  • dist/server/helpers/format/formatNum.js contains eval-based numeric formatting helper.
  • dist/config.js imports dotenv and reads config/env files at runtime.
Evidence against
  • package.json has no install/postinstall/prepare hook; only prepublishOnly build script.
  • dist/index.js is a Fastify plugin registering CRUD/auth/upload/proxy routes; no import-time exfiltration or persistence found.
  • dist/index.js proxy/fetch behavior is config-driven runtime server functionality.
  • dist/server/plugins/upload/*.js writes upload metadata/chunks under configured upload directories, package-aligned.
  • No AI-agent control-surface writes, shell startup/VCS hook mutation, or remote payload loading found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 343 file(s), 810 KB of source, external domains: accounts.google.com, cdn.softpro.ua, id.softpro.ua, nsdi.gov.ua, www.w3.org

Source & flagged code

3 flagged · loading source
dist/server/plugins/auth/funcs/verifyPassword.jsView file
27patternName = generic_password severity = medium line = 27 matchedText = await pg...d]);
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/server/plugins/auth/funcs/verifyPassword.jsView on unpkg · L27
dist/server/plugins/policy/xssInjection.jsView file
23'\\x', L24: 'eval(', L25: 'onmouseover=',
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/server/plugins/policy/xssInjection.jsView on unpkg · L23
dist/functions.jsView file
183return; L184: const { uid } = config?.auth?.disable || process.env.NODE_ENV !== "admin" L185: ? { uid: "1" } ... L233: format: row.format, L234: data: row.data, L235: })); ... L401: ...acc1, L402: ...JSON.parse(readFileSync(`locales/${curr.name}/${file.name}`, "utf-8").replace(/[\u200B-\u200D\uFEFF]/g, "")), L403: }), {});
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/functions.jsView on unpkg · L183

Findings

3 Medium7 Low
MediumSecret Patterndist/server/plugins/auth/funcs/verifyPassword.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/server/plugins/policy/xssInjection.js
LowWeak Cryptodist/functions.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings