AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a documentation-site component/build helper with build-time filesystem reads, git metadata queries, and Pagefind index generation aligned to its purpose.
Decision evidence
public snapshot- package.json has no install/preinstall/postinstall lifecycle hooks and exports only docs components/config/build helpers.
- components/Search.jsx dynamically imports /pagefind/pagefind.js only on user search UI use; it is package-aligned static search runtime loading.
- build/frontmatter.js only readFileSyncs caller-provided markdown paths and parses frontmatter; scanner Unicode hit is an optional BOM in regex, not bidi control flow.
- build/pagefind.js writes Pagefind index files under caller-provided siteDir/pagefind during explicit build indexing.
- build/last-updated*.js uses execFileSync git log/rev-parse only for docs metadata during build/dev, with fixed git arguments.
- rg found no credential harvesting, exfiltration endpoints, lifecycle execution, destructive file operations, or AI-agent control-surface writes.
Source & flagged code
3 flagged · loading sourcePackage source references dynamic require/import behavior.
components/Search.jsxView on unpkg · L16Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
build/frontmatter.jsView on unpkg · L18A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
build/frontmatter.jsView on unpkg