AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Network use is package-aligned for auth UI requests, transactional email, and web-push delivery, and is triggered by consumer-invoked APIs/components.
Decision evidence
public snapshot- dist/server/auth.js dynamically imports only optional bcrypt/bcryptjs for legacy password verification.
- dist/server/email/lettermint.js posts mail only to configured Lettermint API during explicit send().
- dist/server/notifications/push.js fetches user push endpoints during explicit notification delivery.
- package.json has no install/preinstall/postinstall/prepare lifecycle hooks.
- dist/index.js and dist/server/index.js are export barrels; no install/import-time execution observed.
- dist/i18n/de.js is static German translation text; scanner secret hits are words like password/token in UI strings.
- No child_process, filesystem writes, credential harvesting, or AI-agent control-surface writes found.
- Push endpoint code includes public HTTPS validation and blocks localhost/private/link-local IP literals.
Source & flagged code
15 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/server/auth.jsView on unpkg · L88Hardcoded password in dist/server/validation.test.js
dist/server/validation.test.jsView on unpkg · L154Hardcoded password in dist/server/validation.test.js
dist/server/validation.test.jsView on unpkg · L163Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L22Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L44Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L60Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L61Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L74Hardcoded password in dist/server/handlers/register.test.js
dist/server/handlers/register.test.jsView on unpkg · L5