AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network features are expected auth/email/push functionality and require consumer invocation/configuration.
Decision evidence
public snapshot- package.json has no install/preinstall/postinstall lifecycle hooks and no dependencies.
- dist/index.js only re-exports client and i18n modules; no import-time execution beyond i18n registration.
- dist/server/auth.js dynamic import is limited to optional bcrypt/bcryptjs legacy password verification.
- dist/i18n/de.js contains German auth UI strings; scanner secret hit is translation text like password/token labels.
- Network use is package-aligned: Lettermint email transport and Web Push endpoints invoked by consumer code.
- No fs, child_process, eval, persistence, destructive actions, or credential harvesting found in inspected dist files.
Source & flagged code
15 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/server/auth.jsView on unpkg · L88Hardcoded password in dist/server/validation.test.js
dist/server/validation.test.jsView on unpkg · L154Hardcoded password in dist/server/validation.test.js
dist/server/validation.test.jsView on unpkg · L163Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L22Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L44Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L60Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L61Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L74Hardcoded password in dist/server/handlers/register.test.js
dist/server/handlers/register.test.jsView on unpkg · L5