registry  /  @urbicon-ui/auth  /  6.9.0

@urbicon-ui/auth@6.9.0

Authentication for SvelteKit — JWT sessions, passkeys/WebAuthn, notifications and email with zero runtime dependencies

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Network and crypto primitives are aligned with an auth, email, WebAuthn, TOTP, CSRF, and web-push package and are invoked by consumers at runtime.

Static reason
One or more suspicious static signals were detected.
Trigger
consumer imports/uses auth handlers, UI stores, email transport, or push service
Impact
no unauthorized install-time execution, exfiltration, persistence, or destructive behavior identified
Mechanism
package-aligned authentication and notification functionality
Rationale
Static inspection found expected auth-package behavior with no lifecycle execution, credential harvesting, hidden exfiltration, shell execution, persistence, or AI-agent control-surface writes. Scanner findings are explained by optional bcrypt import, legitimate fetch use, and translation text containing security terms.
Evidence
package.jsondist/index.jsdist/server/index.jsdist/server/auth.jsdist/server/deps.jsdist/i18n/de.jsdist/client/csrf.jsdist/client/stores/auth.svelte.jsdist/client/stores/notifications.svelte.jsdist/server/email/lettermint.jsdist/server/notifications/push.jsdist/server/notifications/push-endpoint.js
Network endpoints1
api.lettermint.co/v1/send

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks and exports only dist entrypoints.
    • dist/server/auth.js dynamic import is limited to optional bcrypt/bcryptjs verification for legacy password hashes.
    • dist/i18n/de.js contains only German UI/auth translation strings; scanner secret hits are words like password/token/secret in messages.
    • dist/client/* fetches configured same-app auth/notification base paths for user-invoked UI actions.
    • dist/server/email/lettermint.js sends email only through configured Lettermint transport; token is user-supplied config.
    • dist/server/notifications/push.js fetches user push endpoints only after public HTTPS endpoint validation in push-endpoint.js.
    Behavioral surface
    Source
    CryptoDynamicRequireFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 142 file(s), 734 KB of source, external domains: 0.0.0.0, 0177.0.0.1, 10.0.0.1, 10.0.0.5, 100.64.0.1, 127.0.0.1, 169.254.0.1, 169.254.169.254, 172.16.3.4, 172.31.255.255, 172.32.0.1, 192.168.1.1, 192.169.0.1, 8.8.8.8, anything-public.example.com, api.lettermint.co, api.localhost, app.example.com, app.example.com.evil.test, app.test, eu.lettermint.test, evil-push.example.com, evil.com, evil.example.com, example.com, fcm.googleapis.com, fcm.googleapis.com.evil.com, other.com, push.example.com, push.test, updates.push.services.mozilla.com, web.push.apple.com

    Source & flagged code

    15 flagged · loading source
    dist/i18n/de.jsView file
    31patternName = generic_password severity = medium line = 31 matchedText = password...rt',
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/i18n/de.jsView on unpkg · L31
    47patternName = generic_password severity = medium line = 47 matchedText = password...rt',
    Medium
    Secret Pattern

    Hardcoded password in dist/i18n/de.js

    dist/i18n/de.jsView on unpkg · L47
    81patternName = generic_password severity = medium line = 81 matchedText = password...rt',
    Medium
    Secret Pattern

    Hardcoded password in dist/i18n/de.js

    dist/i18n/de.jsView on unpkg · L81
    dist/server/auth.jsView file
    88try { L89: const mod = (await import(/* @vite-ignore */ specifier)); L90: return (password, hash) => mod.compare(password, hash);
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/server/auth.jsView on unpkg · L88
    dist/server/validation.test.jsView file
    154patternName = generic_password severity = medium line = 154 matchedText = expect(v...se);
    Medium
    Secret Pattern

    Hardcoded password in dist/server/validation.test.js

    dist/server/validation.test.jsView on unpkg · L154
    163patternName = generic_password severity = medium line = 163 matchedText = expect(v...se);
    Medium
    Secret Pattern

    Hardcoded password in dist/server/validation.test.js

    dist/server/validation.test.jsView on unpkg · L163
    dist/server/handlers/reset-password.test.jsView file
    22patternName = generic_password severity = medium line = 22 matchedText = const re...}));
    Medium
    Secret Pattern

    Hardcoded password in dist/server/handlers/reset-password.test.js

    dist/server/handlers/reset-password.test.jsView on unpkg · L22
    44patternName = generic_password severity = medium line = 44 matchedText = const re...}));
    Medium
    Secret Pattern

    Hardcoded password in dist/server/handlers/reset-password.test.js

    dist/server/handlers/reset-password.test.jsView on unpkg · L44
    60patternName = generic_password severity = medium line = 60 matchedText = handler....})),
    Medium
    Secret Pattern

    Hardcoded password in dist/server/handlers/reset-password.test.js

    dist/server/handlers/reset-password.test.jsView on unpkg · L60
    61patternName = generic_password severity = medium line = 61 matchedText = handler.... }))
    Medium
    Secret Pattern

    Hardcoded password in dist/server/handlers/reset-password.test.js

    dist/server/handlers/reset-password.test.jsView on unpkg · L61
    74patternName = generic_password severity = medium line = 74 matchedText = const bo...' };
    Medium
    Secret Pattern

    Hardcoded password in dist/server/handlers/reset-password.test.js

    dist/server/handlers/reset-password.test.jsView on unpkg · L74
    dist/server/handlers/register.test.jsView file
    5patternName = generic_password severity = medium line = 5 matchedText = const va...' };
    Medium
    Secret Pattern

    Hardcoded password in dist/server/handlers/register.test.js

    dist/server/handlers/register.test.jsView on unpkg · L5
    dist/i18n/en.jsView file
    31patternName = generic_password severity = medium line = 31 matchedText = password...rd',
    Medium
    Secret Pattern

    Hardcoded password in dist/i18n/en.js

    dist/i18n/en.jsView on unpkg · L31
    47patternName = generic_password severity = medium line = 47 matchedText = password...rd',
    Medium
    Secret Pattern

    Hardcoded password in dist/i18n/en.js

    dist/i18n/en.jsView on unpkg · L47
    81patternName = generic_password severity = medium line = 81 matchedText = password...rd',
    Medium
    Secret Pattern

    Hardcoded password in dist/i18n/en.js

    dist/i18n/en.jsView on unpkg · L81

    Findings

    16 Medium4 Low
    MediumSecret Patterndist/i18n/de.js
    MediumDynamic Requiredist/server/auth.js
    MediumNetwork
    MediumSecret Patterndist/server/validation.test.js
    MediumSecret Patterndist/server/validation.test.js
    MediumSecret Patterndist/server/handlers/reset-password.test.js
    MediumSecret Patterndist/server/handlers/reset-password.test.js
    MediumSecret Patterndist/server/handlers/reset-password.test.js
    MediumSecret Patterndist/server/handlers/reset-password.test.js
    MediumSecret Patterndist/server/handlers/reset-password.test.js
    MediumSecret Patterndist/server/handlers/register.test.js
    MediumSecret Patterndist/i18n/de.js
    MediumSecret Patterndist/i18n/de.js
    MediumSecret Patterndist/i18n/en.js
    MediumSecret Patterndist/i18n/en.js
    MediumSecret Patterndist/i18n/en.js
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings