AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Network behavior is aligned with an auth package: app API fetches, Lettermint email sending, and Web Push delivery under consumer-invoked flows.
Decision evidence
public snapshot- dist/server/auth.js dynamically imports optional bcrypt/bcryptjs only during legacy password verification.
- dist/server/email/lettermint.js can POST email via configured Lettermint transport.
- dist/server/notifications/push.js fetches user push endpoints when app sends notifications.
- package.json has no install/preinstall/postinstall/prepare lifecycle hooks and exports only dist entrypoints.
- dist/index.js only re-exports client and i18n modules; no import-time execution beyond i18n registration.
- dist/i18n/de.js contains German auth UI strings; scanner secret hits are words like password/token in translations.
- dist/server/notifications/push-endpoint.js blocks non-HTTPS, localhost, private, loopback, and link-local push endpoints.
- No filesystem writes, shell execution, credential harvesting, persistence, or reviewer/agent manipulation found in inspected sources.
Source & flagged code
15 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/server/auth.jsView on unpkg · L88Hardcoded password in dist/server/validation.test.js
dist/server/validation.test.jsView on unpkg · L154Hardcoded password in dist/server/validation.test.js
dist/server/validation.test.jsView on unpkg · L163Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L22Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L44Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L60Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L61Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L74Hardcoded password in dist/server/handlers/register.test.js
dist/server/handlers/register.test.jsView on unpkg · L5