registry  /  @rollout/link-react  /  0.18.1

@rollout/link-react@0.18.1

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No install-time or import-time attack behavior is present. During credential-link UI use, server-supplied form metadata can be evaluated as JavaScript and rendered as raw HTML.

Static reason
No blocking static signals were detected.
Trigger
A host app renders the credential/authentication UI using Rollout API responses.
Impact
A compromised or insufficiently validated API response could execute browser-context script in the host application.
Mechanism
Runtime evaluation and raw HTML rendering of remote form metadata.
Rationale
Source inspection found no malicious install hook, persistence, local harvesting, or foreign control-surface mutation. The remote metadata execution/rendering primitives warrant a warning rather than a block.
Evidence
package.jsondist/index.jsdist/index.d.tsdist/index.cjs
Network endpoints1
universal.rollout.com/api

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/index.js` compiles `r.visible` with `new Function` at runtime.
  • `dist/index.js` injects API-provided HTML fields with `dangerouslySetInnerHTML`.
Evidence against
  • `package.json` has no lifecycle scripts and ships only `dist`.
  • No filesystem, child-process, shell, native-loader, or persistence APIs are imported.
  • Network calls use the configured Rollout API with the caller-provided bearer token.
  • OTP WebSocket URL is derived from the configured API base URL.
Behavioral surface
Source
EnvironmentVarsEval
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
CopyleftLicense
scanned 2 file(s), 166 KB of source, external domains: guides.rollout.com, reactjs.org, universal.rollout.com, www.w3.org

Source & flagged code

1 flagged · loading source
dist/index.jsView file
866return null; L867: const c = ((u = n.disabled) != null ? u : !1) || ((h = l == null ? void 0 : l.disabled) != null ? h : !1) || ((y = r.disabled) != null ? y : !1), m = r.visible != null ? new Functi... L868: if (r.type === "dropdown")
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L866

Findings

1 Medium4 Low
MediumEnvironment Vars
LowEvaldist/index.js
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License