registry  /  @shapla/vue-components  /  1.5.2

@shapla/vue-components@1.5.2

A collection of reusable components for Vue 3.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The main concern is a package install lifecycle that runs npm install for esbuild, which is install-time mutation but not evidence of exfiltration, payload execution, or persistence.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of @shapla/vue-components@1.5.2; runtime file upload only after app/user supplies url and selects files
Impact
Potential unexpected install-time network/package mutation; no confirmed malicious data access or exfiltration
Mechanism
install-time dependency install plus user-invoked Vue UI components
Rationale
Source inspection does not support the scanner's malicious label: the package is a Vue component library and no credential theft, hardcoded exfiltration, remote payload execution, persistence, destructive behavior, or AI-agent control-surface mutation was found. The install lifecycle is still unexpected enough to warn rather than mark fully clean.
Evidence
package.jsonsrc/index.tssrc/components/file-uploader/ShaplaFileUploader.vuesrc/components/file-uploader/helpers/utils.tsdist/components.mjsdist/components.umd.js
Network endpoints1
registry.npmjs.org/esbuild

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json defines install lifecycle: npm install --ignore-scripts esbuild
  • Install hook can invoke npm and modify package install contents during consumer install
Evidence against
  • package.json main/module point to dist Vue component bundles, not installer code
  • src/index.ts only re-exports Vue components and helpers
  • File uploader network use is user-configured via url prop and triggered by file selection/drop
  • No child_process, fs writes, env/credential harvesting, eval/Function, or AI-agent config writes found in src/package entrypoints
  • dist bundle behavior matches source component code, including XMLHttpRequest uploader and modal body class helper
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 13 file(s), 247 KB of source, external domains: www.w3.org

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.install = npm install --ignore-scripts esbuild
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.install = npm install --ignore-scripts esbuild
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 Critical1 High1 Medium3 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings