registry  /  @reportforge/playwright-pdf  /  0.12.0

@reportforge/playwright-pdf@0.12.0

Enterprise-ready PDF reports for Playwright Test — minimal, detailed, and executive templates with CI/CD integrations

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The risky primitives are runtime features for a licensed Playwright PDF reporter and require user configuration or reporter execution.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User configures the Playwright reporter or runs the playwright-pdf CLI.
Impact
Generates reports and may send report/live/notification data to configured ReportForge or notification endpoints; no credential harvesting or unconsented install-time execution found.
Mechanism
PDF generation, license checks, optional live/notification integrations, and local helper process invocation
Rationale
Static source inspection shows package-aligned reporter behavior: license validation, PDF rendering, optional live streaming, notifications, and local browser/qpdf helpers. There is no install-time execution, covert exfiltration, remote payload execution, persistence, destructive behavior, or AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/cli/index.js~/.reportforge/license.json~/.reportforge/model.jsonhistory.jsonPDF output pathsOS temp rf-report-*.htmlOS temp rf-pw-*
Network endpoints5
reportforge.orgreportforge.org/api/license/activatereportforge.org/api/license/refreshreportforge.org/api/live/ingestapi.resend.com/emails

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js contacts https://reportforge.org for license activation/refresh and optional live ingest.
  • dist/index.js can send optional email through https://api.resend.com/emails when RESEND_API_KEY and notify.email are configured.
  • dist/index.js uses child_process for git metadata, Chrome discovery, optional qpdf encryption, and optional open:true PDF viewing.
Evidence against
  • package.json has no install/postinstall hooks; prepublishOnly is publish-time only.
  • Main import exports PdfReporter/defineReporterConfig without immediate network, shell, or file harvesting behavior.
  • Network calls are tied to license validation, live reporting, notifications, or user-supplied webhooks for a Playwright PDF reporter.
  • Filesystem writes are package-aligned: PDF outputs, temp HTML/password files, history.json, and ~/.reportforge license/model caches.
  • Dynamic require/import is for local package.json, puppeteer-core, fs, and child_process in runtime features, not remote code loading.
  • dist/cli/index.js is a bundled demo/PDF generation CLI with the same package-aligned PDF, template, browser, and qpdf behavior.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 2.68 MB of source, external domains: adaptivecards.io, bitbucket.org, github.com, playwright.dev, qpdf.readthedocs.io, reportforge.org, www.chartjs.org

Source & flagged code

5 flagged · loading source
dist/index.jsView file
6078init_cjs_shims(); L6079: var { execSync: execSync3 } = require("child_process"); L6080: var path14 = require("path");
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L6078
657loggedProperties[propertyName] = true; L658: _logger2["default"].log("error", 'Handlebars: Access has been denied to resolve the property "' + propertyName + '" because it is not an "own property" of its parent.\nYou can add ... L659: } ... L949: }, L950: data: function data(value, depth) { L951: while (value && depth--) { ... L2937: L2938: // node_modules/source-map/lib/base64.js L2939: var require_base64 = __commonJS({ ... L5734: (function() { L5735: var reservedWords = "break else new var case finally return void catch for switch while continue function this with default if throw delete in try do instanceof typeof abstract enu... L5736: var compilerWords = JavaScriptCompiler.RESERVED_WORDS = {};
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L657
657Cross-file remote execution chain: dist/index.js spawns dist/cli/index.js; helper contains network access plus dynamic code execution. L657: loggedProperties[propertyName] = true; L658: _logger2["default"].log("error", 'Handlebars: Access has been denied to resolve the property "' + propertyName + '" because it is not an "own property" of its parent.\nYou can add ... L659: } ... L949: }, L950: data: function data(value, depth) { L951: while (value && depth--) { ... L2937: L2938: // node_modules/source-map/lib/base64.js L2939: var require_base64 = __commonJS({ ... L5734: (function() { L5735: var reservedWords = "break else new var case finally return void catch for switch while continue function this with default if throw delete in try do instanceof typeof abstract enu... L5736: var compilerWords = JavaScriptCompiler.RESERVED_WORDS = {};
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L657
10}; L11: var __commonJS = (cb, mod) => function __require() { L12: return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L10
dist/cli/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @reportforge/playwright-pdf@0.11.1 matchedIdentity = npm:[redacted]:0.11.1 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli/index.jsView on unpkg

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/cli/index.js
HighChild Processdist/index.js
HighShell
HighSandbox Evasion Gated Capabilitydist/index.js
HighCross File Remote Execution Contextdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings