AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package provides docs UI components and build-time generators for nav, posts, feeds, last-updated metadata, llms text, and Pagefind search indexes.
Decision evidence
public snapshot- build/last-updated*.js invoke git via execFileSync at build/dev time.
- build/docs-nav-plugin.js dynamically imports project _meta.js files during build.
- package.json has no preinstall/install/postinstall hooks and no bin entry.
- components/Search.jsx imports only /pagefind/pagefind.js from the built same-origin site on user search.
- build/frontmatter.js contains only an optional BOM match, not bidi control obfuscation.
- No credential/env harvesting, destructive file operations, persistence, or external exfiltration endpoints found.
- Filesystem reads and Pagefind writes are package-aligned docs build behavior.
Source & flagged code
3 flagged · loading sourcePackage source references dynamic require/import behavior.
components/Search.jsxView on unpkg · L16Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
build/frontmatter.jsView on unpkg · L18A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
build/frontmatter.jsView on unpkg