registry  /  @reportforge/playwright-pdf  /  0.13.0

@reportforge/playwright-pdf@0.13.0

Enterprise-ready PDF reports for Playwright Test — minimal, detailed, and executive templates with CI/CD integrations

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface found. Network, filesystem, and child-process behavior is tied to documented PDF reporting, licensing, live reporting, notifications, browser discovery, and optional PDF opening.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User configures Playwright reporter or invokes playwright-pdf CLI commands.
Impact
Expected report generation and optional user-configured reporting side effects; no credential harvesting or unconsented execution identified.
Mechanism
PDF report generation with optional licensing, live streaming, notifications, local cache/history, qpdf encryption, and browser/PDF opener helpers.
Rationale
Static inspection shows suspicious primitives are package-aligned and user/config gated: licensing, live reporting, notifications, Chrome/qpdf discovery, and local report/cache files. I found no install-time execution, hidden payload, credential harvesting, persistence, destructive behavior, or prompt/reviewer manipulation.
Evidence
package.jsondist/index.jsdist/index.mjsdist/cli/index.jsREADME.md~/.reportforge/device.json~/.reportforge/license.json~/.reportforge/model.json~/.reportforge/<projectKey>/unclassified.csvreportforge-feedback.csvconfigured PDF output pathconfigured history path
Network endpoints5
reportforge.org/api/license/activatereportforge.org/api/license/refreshreportforge.org/api/live/ingestapi.resend.com/emailsuser-configured Slack/Teams/Discord webhook URLs

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hook; prepublishOnly is publisher-side only.
    • dist/index.js license calls post to reportforge.org activate/refresh only after RF_LICENSE_KEY/options.
    • dist/index.js live ingest sends test status data only when live.enabled and licensed.
    • dist/index.js notification fetches use user-configured webhook/email settings.
    • dist/index.js child_process use is Chrome/qpdf/git/open-PDF functionality aligned with PDF reporting.
    • dist/cli/index.js commands are demo/export-feedback, no hidden import-time payload.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 3 file(s), 2.68 MB of source, external domains: adaptivecards.io, bitbucket.org, github.com, playwright.dev, qpdf.readthedocs.io, reportforge.org, www.chartjs.org

    Source & flagged code

    5 flagged · loading source
    dist/index.jsView file
    6078init_cjs_shims(); L6079: var { execSync: execSync3 } = require("child_process"); L6080: var path14 = require("path");
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L6078
    657loggedProperties[propertyName] = true; L658: _logger2["default"].log("error", 'Handlebars: Access has been denied to resolve the property "' + propertyName + '" because it is not an "own property" of its parent.\nYou can add ... L659: } ... L949: }, L950: data: function data(value, depth) { L951: while (value && depth--) { ... L2937: L2938: // node_modules/source-map/lib/base64.js L2939: var require_base64 = __commonJS({ ... L5734: (function() { L5735: var reservedWords = "break else new var case finally return void catch for switch while continue function this with default if throw delete in try do instanceof typeof abstract enu... L5736: var compilerWords = JavaScriptCompiler.RESERVED_WORDS = {};
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    dist/index.jsView on unpkg · L657
    657Cross-file remote execution chain: dist/index.js spawns dist/cli/index.js; helper contains network access plus dynamic code execution. L657: loggedProperties[propertyName] = true; L658: _logger2["default"].log("error", 'Handlebars: Access has been denied to resolve the property "' + propertyName + '" because it is not an "own property" of its parent.\nYou can add ... L659: } ... L949: }, L950: data: function data(value, depth) { L951: while (value && depth--) { ... L2937: L2938: // node_modules/source-map/lib/base64.js L2939: var require_base64 = __commonJS({ ... L5734: (function() { L5735: var reservedWords = "break else new var case finally return void catch for switch while continue function this with default if throw delete in try do instanceof typeof abstract enu... L5736: var compilerWords = JavaScriptCompiler.RESERVED_WORDS = {};
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/index.jsView on unpkg · L657
    10}; L11: var __commonJS = (cb, mod) => function __require() { L12: return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/index.jsView on unpkg · L10
    dist/cli/index.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @reportforge/playwright-pdf@0.11.1 matchedIdentity = npm:[redacted]:0.11.1 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    dist/cli/index.jsView on unpkg

    Findings

    1 Critical4 High4 Medium6 Low
    CriticalPrevious Version Dangerous Deltadist/cli/index.js
    HighChild Processdist/index.js
    HighShell
    HighSandbox Evasion Gated Capabilitydist/index.js
    HighCross File Remote Execution Contextdist/index.js
    MediumDynamic Requiredist/index.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings