registry  /  @opengis/fastify-table  /  2.5.3

@opengis/fastify-table@2.5.3

core-plugins

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Network and filesystem activity is aligned with a Fastify CRUD/auth/upload/database package and is runtime or explicitly user-invoked.

Static reason
One or more suspicious static signals were detected.
Trigger
importing/registering the Fastify plugin or running documented scripts
Impact
Application runtime behavior depends on operator config; no install-time mutation, exfiltration, persistence, or agent control-surface writes identified
Mechanism
Fastify server plugin with configured proxy, DB migrations, uploads, S3/MinIO support, and template helpers
Rationale
Static source inspection shows a server-side Fastify table/admin plugin with configurable proxy/upload/database features, but no lifecycle execution on install, hardcoded exfiltration endpoint, credential harvesting, destructive persistence, or AI-agent control-surface mutation. Scanner hits are explained by expected app functionality and benign string literals.
Evidence
package.jsondist/index.jsdist/config.jsdist/functions.jsdist/script/dump.jsdist/script/migrate.jsdist/server/plugins/policy/xssInjection.jsdist/server/plugins/upload/uploadChunk.jsdist/server/plugins/upload/s3minio.jsconfig.json/data/local/config.json.env.env.${NODE_ENV}.env.${NODE_ENV}.local.env.locallog/dump/*.sqldist/log/migration/*-cls.sqldist/log/migration/*-cls.json
Network endpoints2
config.proxy[].targetconfig.s3.endpoint

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hook; only prepublishOnly build script
    • main dist/index.js exports a Fastify plugin and registers app routes/plugins at runtime
    • dist/index.js proxy/fetch behavior is config.proxy-driven, not hardcoded exfiltration
    • dist/config.js loads local config/.env into app config; no outbound endpoint or credential harvesting found
    • dist/server/plugins/policy/xssInjection.js contains literal XSS denylist strings, not eval execution
    • dist/script/dump.js and dist/script/migrate.js are user-invoked DB maintenance scripts writing log/dump or running migrations
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 353 file(s), 818 KB of source, external domains: accounts.google.com, cdn.softpro.ua, id.softpro.ua, nsdi.gov.ua, www.w3.org

    Source & flagged code

    3 flagged · loading source
    dist/server/plugins/auth/funcs/verifyPassword.jsView file
    27patternName = generic_password severity = medium line = 27 matchedText = await pg...d]);
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/server/plugins/auth/funcs/verifyPassword.jsView on unpkg · L27
    dist/server/plugins/policy/xssInjection.jsView file
    23'\\x', L24: 'eval(', L25: 'onmouseover=',
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/server/plugins/policy/xssInjection.jsView on unpkg · L23
    dist/functions.jsView file
    183return; L184: const { uid } = config?.auth?.disable || process.env.NODE_ENV !== "admin" L185: ? { uid: "1" } ... L233: format: row.format, L234: data: row.data, L235: })); ... L401: ...acc1, L402: ...JSON.parse(readFileSync(`locales/${curr.name}/${file.name}`, "utf-8").replace(/[\u200B-\u200D\uFEFF]/g, "")), L403: }), {});
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/functions.jsView on unpkg · L183

    Findings

    3 Medium7 Low
    MediumSecret Patterndist/server/plugins/auth/funcs/verifyPassword.js
    MediumNetwork
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEvaldist/server/plugins/policy/xssInjection.js
    LowWeak Cryptodist/functions.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings