AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Runtime network behavior is package-aligned authentication, email, SSE, service worker, and Web Push functionality invoked by consumers/users.
Decision evidence
public snapshot- Network-capable code exists for user-configured Lettermint email and Web Push delivery.
- dist/server/auth.js uses dynamic import for optional bcrypt/bcryptjs legacy hash verification.
- package.json has no install/preinstall/postinstall lifecycle hooks and exports only dist entrypoints.
- dist/server/auth.js dynamic import is limited to bcrypt/bcryptjs verification fallback, not arbitrary code loading.
- dist/server/email/lettermint.js posts only to configured Lettermint baseUrl, default https://api.lettermint.co/v1/send, when consumer sends mail.
- dist/server/notifications/push.js fetches user push endpoints only after public-HTTPS SSRF guard in push-endpoint.js.
- dist/i18n/de.js secret-pattern hits are German auth UI strings such as password/token labels, not embedded secrets.
- rg found no fs writes, child_process, eval, vm, or persistence primitives in package source.
Source & flagged code
15 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/server/auth.jsView on unpkg · L88Hardcoded password in dist/server/validation.test.js
dist/server/validation.test.jsView on unpkg · L154Hardcoded password in dist/server/validation.test.js
dist/server/validation.test.jsView on unpkg · L163Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L22Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L44Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L60Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L61Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L74Hardcoded password in dist/server/handlers/register.test.js
dist/server/handlers/register.test.jsView on unpkg · L5