registry  /  @urbicon-ui/auth  /  6.8.1

@urbicon-ui/auth@6.8.1

Authentication for SvelteKit — JWT sessions, passkeys/WebAuthn, notifications and email with zero runtime dependencies

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Network use is package-aligned for auth UI requests, transactional email, and web-push delivery, and is triggered by consumer-invoked APIs/components.

Static reason
One or more suspicious static signals were detected.
Trigger
consumer imports package and explicitly calls auth/email/push helpers or uses client components
Impact
No unauthorized execution, persistence, exfiltration, or destructive behavior identified
Mechanism
SvelteKit auth library with optional email and push notification network calls
Rationale
Static inspection shows suspicious scanner hits are expected auth-library behavior: optional bcrypt import, user-invoked fetches, and translation strings mentioning credentials. There are no lifecycle hooks or source facts indicating unconsented execution, harvesting, exfiltration, persistence, or destructive actions.
Evidence
package.jsondist/index.jsdist/server/index.jsdist/server/auth.jsdist/server/email/lettermint.jsdist/server/notifications/push.jsdist/server/notifications/push-endpoint.jsdist/i18n/de.jsdist/client/csrf.jsdist/client/utils/service-worker.js
Network endpoints1
api.lettermint.co/v1/send

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/server/auth.js dynamically imports only optional bcrypt/bcryptjs for legacy password verification.
  • dist/server/email/lettermint.js posts mail only to configured Lettermint API during explicit send().
  • dist/server/notifications/push.js fetches user push endpoints during explicit notification delivery.
Evidence against
  • package.json has no install/preinstall/postinstall/prepare lifecycle hooks.
  • dist/index.js and dist/server/index.js are export barrels; no install/import-time execution observed.
  • dist/i18n/de.js is static German translation text; scanner secret hits are words like password/token in UI strings.
  • No child_process, filesystem writes, credential harvesting, or AI-agent control-surface writes found.
  • Push endpoint code includes public HTTPS validation and blocks localhost/private/link-local IP literals.
Behavioral surface
Source
CryptoDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 142 file(s), 734 KB of source, external domains: 0.0.0.0, 0177.0.0.1, 10.0.0.1, 10.0.0.5, 100.64.0.1, 127.0.0.1, 169.254.0.1, 169.254.169.254, 172.16.3.4, 172.31.255.255, 172.32.0.1, 192.168.1.1, 192.169.0.1, 8.8.8.8, anything-public.example.com, api.lettermint.co, api.localhost, app.example.com, app.example.com.evil.test, app.test, eu.lettermint.test, evil-push.example.com, evil.com, evil.example.com, example.com, fcm.googleapis.com, fcm.googleapis.com.evil.com, other.com, push.example.com, push.test, updates.push.services.mozilla.com, web.push.apple.com

Source & flagged code

15 flagged · loading source
dist/i18n/de.jsView file
31patternName = generic_password severity = medium line = 31 matchedText = password...rt',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/i18n/de.jsView on unpkg · L31
47patternName = generic_password severity = medium line = 47 matchedText = password...rt',
Medium
Secret Pattern

Hardcoded password in dist/i18n/de.js

dist/i18n/de.jsView on unpkg · L47
81patternName = generic_password severity = medium line = 81 matchedText = password...rt',
Medium
Secret Pattern

Hardcoded password in dist/i18n/de.js

dist/i18n/de.jsView on unpkg · L81
dist/server/auth.jsView file
88try { L89: const mod = (await import(/* @vite-ignore */ specifier)); L90: return (password, hash) => mod.compare(password, hash);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/server/auth.jsView on unpkg · L88
dist/server/validation.test.jsView file
154patternName = generic_password severity = medium line = 154 matchedText = expect(v...se);
Medium
Secret Pattern

Hardcoded password in dist/server/validation.test.js

dist/server/validation.test.jsView on unpkg · L154
163patternName = generic_password severity = medium line = 163 matchedText = expect(v...se);
Medium
Secret Pattern

Hardcoded password in dist/server/validation.test.js

dist/server/validation.test.jsView on unpkg · L163
dist/server/handlers/reset-password.test.jsView file
22patternName = generic_password severity = medium line = 22 matchedText = const re...}));
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L22
44patternName = generic_password severity = medium line = 44 matchedText = const re...}));
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L44
60patternName = generic_password severity = medium line = 60 matchedText = handler....})),
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L60
61patternName = generic_password severity = medium line = 61 matchedText = handler.... }))
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L61
74patternName = generic_password severity = medium line = 74 matchedText = const bo...' };
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/reset-password.test.js

dist/server/handlers/reset-password.test.jsView on unpkg · L74
dist/server/handlers/register.test.jsView file
5patternName = generic_password severity = medium line = 5 matchedText = const va...' };
Medium
Secret Pattern

Hardcoded password in dist/server/handlers/register.test.js

dist/server/handlers/register.test.jsView on unpkg · L5
dist/i18n/en.jsView file
31patternName = generic_password severity = medium line = 31 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in dist/i18n/en.js

dist/i18n/en.jsView on unpkg · L31
47patternName = generic_password severity = medium line = 47 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in dist/i18n/en.js

dist/i18n/en.jsView on unpkg · L47
81patternName = generic_password severity = medium line = 81 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in dist/i18n/en.js

dist/i18n/en.jsView on unpkg · L81

Findings

16 Medium4 Low
MediumSecret Patterndist/i18n/de.js
MediumDynamic Requiredist/server/auth.js
MediumNetwork
MediumSecret Patterndist/server/validation.test.js
MediumSecret Patterndist/server/validation.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/reset-password.test.js
MediumSecret Patterndist/server/handlers/register.test.js
MediumSecret Patterndist/i18n/de.js
MediumSecret Patterndist/i18n/de.js
MediumSecret Patterndist/i18n/en.js
MediumSecret Patterndist/i18n/en.js
MediumSecret Patterndist/i18n/en.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings