registry  /  @urbicon-ui/auth  /  6.8.0

@urbicon-ui/auth@6.8.0

Authentication for SvelteKit — JWT sessions, passkeys/WebAuthn, notifications and email with zero runtime dependencies

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Runtime network behavior is package-aligned authentication, email, SSE, service worker, and Web Push functionality invoked by consumers/users.

Static reason
One or more suspicious static signals were detected.
Trigger
consumer imports and invokes auth/email/notification handlers or client components
Impact
No credential harvesting, exfiltration, persistence, or install-time execution identified
Mechanism
authentication UI/server helpers with optional email and push delivery
Rationale
Static inspection shows a SvelteKit auth package with expected crypto, handlers, i18n, email, and notification code; scanner findings map to benign optional bcrypt import, package-aligned network APIs, and translation strings. There is no install-time execution, obfuscated payload, filesystem mutation, command execution, credential exfiltration, or AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/server/auth.jsdist/server/email/lettermint.jsdist/server/notifications/push.jsdist/server/notifications/push-endpoint.jsdist/client/utils/service-worker.jsdist/sw/index.jsdist/i18n/de.js
Network endpoints2
api.lettermint.co/v1/senduser-supplied public HTTPS Web Push endpoints

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Network-capable code exists for user-configured Lettermint email and Web Push delivery.
  • dist/server/auth.js uses dynamic import for optional bcrypt/bcryptjs legacy hash verification.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and exports only dist entrypoints.
  • dist/server/auth.js dynamic import is limited to bcrypt/bcryptjs verification fallback, not arbitrary code loading.
  • dist/server/email/lettermint.js posts only to configured Lettermint baseUrl, default https://api.lettermint.co/v1/send, when consumer sends mail.
  • dist/server/notifications/push.js fetches user push endpoints only after public-HTTPS SSRF guard in push-endpoint.js.
  • dist/i18n/de.js secret-pattern hits are German auth UI strings such as password/token labels, not embedded secrets.
  • rg found no fs writes, child_process, eval, vm, or persistence primitives in package source.
Behavioral surface
Source
CryptoDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 142 file(s), 734 KB of source, external domains: 0.0.0.0, 0177.0.0.1, 10.0.0.1, 10.0.0.5, 100.64.0.1, 127.0.0.1, 169.254.0.1, 169.254.169.254, 172.16.3.4, 172.31.255.255, 172.32.0.1, 192.168.1.1, 192.169.0.1, 8.8.8.8, anything-public.example.com, api.lettermint.co, api.localhost, app.example.com, app.example.com.evil.test, app.test, eu.lettermint.test, evil-push.example.com, evil.com, evil.example.com, example.com, fcm.googleapis.com, fcm.googleapis.com.evil.com, other.com, push.example.com, push.test, updates.push.services.mozilla.com, web.push.apple.com

Source & flagged code

15 flagged · loading source
dist/i18n/de.jsView file
31patternName = generic_password severity = medium line = 31 matchedText = password...rt',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/i18n/de.jsView on unpkg · L31
47patternName = generic_password severity = medium line = 47 matchedText = password...rt',
Medium
Secret Pattern

Hardcoded password in dist/i18n/de.js

dist/i18n/de.jsView on unpkg · L47
81patternName = generic_password severity = medium line = 81 matchedText = password...rt',
Medium
Secret Pattern

Hardcoded password in dist/i18n/de.js

dist/i18n/de.jsView on unpkg · L81
dist/server/auth.jsView file
88try { L89: const mod = (await import(/* @vite-ignore */ specifier)); L90: return (password, hash) => mod.compare(password, hash);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/server/auth.jsView on unpkg · L88
dist/server/validation.test.jsView file
154patternName = generic_password severity = medium line = 154 matchedText = expect(v...se);
Medium
Secret Pattern

Hardcoded password in dist/server/validation.test.js

dist/server/validation.test.jsView on unpkg · L154
163patternName = generic_password severity = medium line = 163 matchedText = expect(v...se);
Medium
Secret Pattern

Hardcoded password in dist/server/validation.test.js

dist/server/validation.test.jsView on unpkg · L163
dist/server/handlers/reset-password.test.jsView file
22patternName = generic_password severity = medium line = 22 matchedText = const re...}));
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L22
44patternName = generic_password severity = medium line = 44 matchedText = const re...}));
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L44
60patternName = generic_password severity = medium line = 60 matchedText = handler....})),
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L60
61patternName = generic_password severity = medium line = 61 matchedText = handler.... }))
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L61
74patternName = generic_password severity = medium line = 74 matchedText = const bo...' };
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L74
dist/server/handlers/register.test.jsView file
5patternName = generic_password severity = medium line = 5 matchedText = const va...' };
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/register.test.js

dist/server/handlers/register.test.jsView on unpkg · L5
dist/i18n/en.jsView file
31patternName = generic_password severity = medium line = 31 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in dist/i18n/en.js

dist/i18n/en.jsView on unpkg · L31
47patternName = generic_password severity = medium line = 47 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in dist/i18n/en.js

dist/i18n/en.jsView on unpkg · L47
81patternName = generic_password severity = medium line = 81 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in dist/i18n/en.js

dist/i18n/en.jsView on unpkg · L81

Findings

16 Medium4 Low
MediumSecret Patterndist/i18n/de.js
MediumDynamic Requiredist/server/auth.js
MediumNetwork
MediumSecret Patterndist/server/validation.test.js
MediumSecret Patterndist/server/validation.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/register.test.js
MediumSecret Patterndist/i18n/de.js
MediumSecret Patterndist/i18n/de.js
MediumSecret Patterndist/i18n/en.js
MediumSecret Patterndist/i18n/en.js
MediumSecret Patterndist/i18n/en.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings