AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Network and crypto primitives are aligned with an auth, email, WebAuthn, TOTP, CSRF, and web-push package and are invoked by consumers at runtime.
Decision evidence
public snapshot- package.json has no install/preinstall/postinstall lifecycle hooks and exports only dist entrypoints.
- dist/server/auth.js dynamic import is limited to optional bcrypt/bcryptjs verification for legacy password hashes.
- dist/i18n/de.js contains only German UI/auth translation strings; scanner secret hits are words like password/token/secret in messages.
- dist/client/* fetches configured same-app auth/notification base paths for user-invoked UI actions.
- dist/server/email/lettermint.js sends email only through configured Lettermint transport; token is user-supplied config.
- dist/server/notifications/push.js fetches user push endpoints only after public HTTPS endpoint validation in push-endpoint.js.
Source & flagged code
15 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/server/auth.jsView on unpkg · L88Hardcoded password in dist/server/validation.test.js
dist/server/validation.test.jsView on unpkg · L154Hardcoded password in dist/server/validation.test.js
dist/server/validation.test.jsView on unpkg · L163Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L22Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L44Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L60Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L61Hardcoded password in dist/server/handlers/reset-password.test.js
dist/server/handlers/reset-password.test.jsView on unpkg · L74Hardcoded password in dist/server/handlers/register.test.js
dist/server/handlers/register.test.jsView on unpkg · L5