registry  /  @urbicon-ui/auth  /  6.12.0

@urbicon-ui/auth@6.12.0

Authentication for SvelteKit — JWT sessions, passkeys/WebAuthn, notifications and email with zero runtime dependencies

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Network behavior is aligned with an auth package: app API fetches, Lettermint email sending, and Web Push delivery under consumer-invoked flows.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports/uses auth handlers, email transport, client stores, or notification service at runtime.
Impact
Expected application authentication and notification behavior; no unconsented install-time or import-time compromise found.
Mechanism
Auth, JWT, CSRF, email, i18n, passkey, TOTP, and Web Push library code
Rationale
Static source inspection shows a SvelteKit auth library with expected optional bcrypt import and user-invoked network calls for email, app endpoints, and Web Push. The suspicious scanner labels are explained by package-aligned auth strings and runtime features, with no concrete malicious behavior.
Evidence
package.jsondist/index.jsdist/i18n/de.jsdist/i18n/index.jsdist/server/index.jsdist/server/auth.jsdist/server/email/lettermint.jsdist/server/notifications/push.jsdist/server/notifications/push-endpoint.jsdist/client/csrf.jsdist/client/stores/auth.svelte.js
Network endpoints1
api.lettermint.co/v1/send

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/server/auth.js dynamically imports optional bcrypt/bcryptjs only during legacy password verification.
  • dist/server/email/lettermint.js can POST email via configured Lettermint transport.
  • dist/server/notifications/push.js fetches user push endpoints when app sends notifications.
Evidence against
  • package.json has no install/preinstall/postinstall/prepare lifecycle hooks and exports only dist entrypoints.
  • dist/index.js only re-exports client and i18n modules; no import-time execution beyond i18n registration.
  • dist/i18n/de.js contains German auth UI strings; scanner secret hits are words like password/token in translations.
  • dist/server/notifications/push-endpoint.js blocks non-HTTPS, localhost, private, loopback, and link-local push endpoints.
  • No filesystem writes, shell execution, credential harvesting, persistence, or reviewer/agent manipulation found in inspected sources.
Behavioral surface
Source
CryptoDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 142 file(s), 738 KB of source, external domains: 0.0.0.0, 0177.0.0.1, 10.0.0.1, 10.0.0.5, 100.64.0.1, 127.0.0.1, 169.254.0.1, 169.254.169.254, 172.16.3.4, 172.31.255.255, 172.32.0.1, 192.168.1.1, 192.169.0.1, 8.8.8.8, anything-public.example.com, api.lettermint.co, api.localhost, app.example.com, app.example.com.evil.test, app.test, eu.lettermint.test, evil-push.example.com, evil.com, evil.example.com, example.com, fcm.googleapis.com, fcm.googleapis.com.evil.com, other.com, push.example.com, push.test, updates.push.services.mozilla.com, web.push.apple.com

Source & flagged code

15 flagged · loading source
dist/i18n/de.jsView file
31patternName = generic_password severity = medium line = 31 matchedText = password...rt',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/i18n/de.jsView on unpkg · L31
47patternName = generic_password severity = medium line = 47 matchedText = password...rt',
Medium
Secret Pattern

Hardcoded password in dist/i18n/de.js

dist/i18n/de.jsView on unpkg · L47
81patternName = generic_password severity = medium line = 81 matchedText = password...rt',
Medium
Secret Pattern

Hardcoded password in dist/i18n/de.js

dist/i18n/de.jsView on unpkg · L81
dist/server/auth.jsView file
88try { L89: const mod = (await import(/* @vite-ignore */ specifier)); L90: return (password, hash) => mod.compare(password, hash);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/server/auth.jsView on unpkg · L88
dist/server/validation.test.jsView file
154patternName = generic_password severity = medium line = 154 matchedText = expect(v...se);
Medium
Secret Pattern

Hardcoded password in dist/server/validation.test.js

dist/server/validation.test.jsView on unpkg · L154
163patternName = generic_password severity = medium line = 163 matchedText = expect(v...se);
Medium
Secret Pattern

Hardcoded password in dist/server/validation.test.js

dist/server/validation.test.jsView on unpkg · L163
dist/server/handlers/reset-password.test.jsView file
22patternName = generic_password severity = medium line = 22 matchedText = const re...}));
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L22
44patternName = generic_password severity = medium line = 44 matchedText = const re...}));
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L44
60patternName = generic_password severity = medium line = 60 matchedText = handler....})),
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L60
61patternName = generic_password severity = medium line = 61 matchedText = handler.... }))
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L61
74patternName = generic_password severity = medium line = 74 matchedText = const bo...' };
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L74
dist/server/handlers/register.test.jsView file
5patternName = generic_password severity = medium line = 5 matchedText = const va...' };
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/register.test.js

dist/server/handlers/register.test.jsView on unpkg · L5
dist/i18n/en.jsView file
31patternName = generic_password severity = medium line = 31 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in dist/i18n/en.js

dist/i18n/en.jsView on unpkg · L31
47patternName = generic_password severity = medium line = 47 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in dist/i18n/en.js

dist/i18n/en.jsView on unpkg · L47
81patternName = generic_password severity = medium line = 81 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in dist/i18n/en.js

dist/i18n/en.jsView on unpkg · L81

Findings

16 Medium4 Low
MediumSecret Patterndist/i18n/de.js
MediumDynamic Requiredist/server/auth.js
MediumNetwork
MediumSecret Patterndist/server/validation.test.js
MediumSecret Patterndist/server/validation.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/register.test.js
MediumSecret Patterndist/i18n/de.js
MediumSecret Patterndist/i18n/de.js
MediumSecret Patterndist/i18n/en.js
MediumSecret Patterndist/i18n/en.js
MediumSecret Patterndist/i18n/en.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings