registry  /  @urbicon-ui/auth  /  6.23.0

@urbicon-ui/auth@6.23.0

Authentication for SvelteKit — JWT sessions, passkeys/WebAuthn, notifications and email with zero runtime dependencies

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Network operations are explicit authentication features, not install- or import-time behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
A consumer explicitly configures and calls the Lettermint transport or Web Push service.
Impact
Sends intended authentication email or notification payloads to configured recipients/endpoints.
Mechanism
Configured email and standards-based Web Push delivery
Rationale
Static inspection shows a normal SvelteKit authentication package with explicit runtime transports and no lifecycle execution or covert collection/exfiltration path. The scanner findings are explained by fixed optional bcrypt compatibility loading, localization text, and user-invoked auth networking.
Evidence
package.jsondist/index.jsdist/server/password.jsdist/server/email/lettermint.jsdist/server/notifications/push.jsdist/server/notifications/push-endpoint.jsdist/server/index.jsdist/client/utils/http.jsdist/client/csrf.js
Network endpoints1
api.lettermint.co/v1

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/server/password.js` dynamically imports only optional `bcrypt` or `bcryptjs` for legacy hash verification.
  • `dist/server/email/lettermint.js` and `dist/server/notifications/push.js` make runtime `fetch` calls for configured email and Web Push delivery.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • `dist/index.js` and `dist/server/index.js` are export barrels with no import-time execution.
  • `dist/server/password.js` uses the dynamic import solely as a bounded fallback over two fixed peer module names.
  • `dist/server/email/lettermint.js` sends only when its exported transport is explicitly configured and invoked.
  • `dist/server/notifications/push.js` validates endpoints before delivery; `push-endpoint.js` rejects non-HTTPS, local, private, and link-local literal hosts.
  • No filesystem-write, subprocess, environment-harvesting, eval, native-binary, or AI-agent-control artifacts were found in `dist`.
Behavioral surface
Source
CryptoDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 100 file(s), 433 KB of source, external domains: api.lettermint.co, push.test, sanitize-redirect.internal

Source & flagged code

7 flagged · loading source
dist/i18n/de.jsView file
33patternName = generic_password severity = medium line = 33 matchedText = password...rt',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/i18n/de.jsView on unpkg · L33
47patternName = generic_password severity = medium line = 47 matchedText = password...rt',
Medium
Secret Pattern

Hardcoded password in dist/i18n/de.js

dist/i18n/de.jsView on unpkg · L47
74patternName = generic_password severity = medium line = 74 matchedText = password...rt',
Medium
Secret Pattern

Hardcoded password in dist/i18n/de.js

dist/i18n/de.jsView on unpkg · L74
dist/server/password.jsView file
85try { L86: const mod = (await import(/* @vite-ignore */ specifier)); L87: return (password, hash) => mod.compare(password, hash);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/server/password.jsView on unpkg · L85
dist/i18n/en.jsView file
33patternName = generic_password severity = medium line = 33 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in dist/i18n/en.js

dist/i18n/en.jsView on unpkg · L33
47patternName = generic_password severity = medium line = 47 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in dist/i18n/en.js

dist/i18n/en.jsView on unpkg · L47
74patternName = generic_password severity = medium line = 74 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in dist/i18n/en.js

dist/i18n/en.jsView on unpkg · L74

Findings

8 Medium4 Low
MediumSecret Patterndist/i18n/de.js
MediumDynamic Requiredist/server/password.js
MediumNetwork
MediumSecret Patterndist/i18n/de.js
MediumSecret Patterndist/i18n/de.js
MediumSecret Patterndist/i18n/en.js
MediumSecret Patterndist/i18n/en.js
MediumSecret Patterndist/i18n/en.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings