registry  /  @utoo/pack  /  1.4.20

@utoo/pack@1.4.20

> 🌖 High-performance bundler core for the Utoo toolchain, powered by [Turbopack](https://turbo.build/pack).

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Suspicious primitives are aligned with a build/dev server package and are triggered by explicit runtime features, not package installation or import alone.

Static reason
One or more suspicious static signals were detected.
Trigger
User calls serve with HTTPS, runs build with ANALYZE, or enables output.clean.
Impact
Downloads and executes mkcert for local certificates, starts user-configured analyzer/proxy/server, and modifies project build artifacts only under configured paths.
Mechanism
runtime dev-server certificate generation, analyzer spawn, configured build output cleanup
Rationale
Static source inspection found risky runtime capabilities, but they are package-aligned build/dev-server features requiring explicit user action or configuration, with no install-time execution, exfiltration, stealth persistence, or AI-agent control-surface mutation. The package should be marked clean for upstream firewall purposes.
Evidence
package.jsoncjs/index.jsesm/index.jsesm/utils/mkcert.jsesm/commands/build.jsesm/commands/dev.jsesm/config/readWebpackConfig.jsesm/binding.jsesm/core/proxyHono.jsesm/utils/cleanOutput.jsesm/utils/lockfile.jsmkcert cache directorycertificates/localhost-key.pemcertificates/localhost.pem.gitignore.turbopack/lockconfigured output directory
Network endpoints1
github.com/FiloSottile/mkcert/releases/download/v1.4.4/{binaryName}

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • esm/utils/mkcert.js downloads mkcert from GitHub and executes it when HTTPS dev cert generation is requested.
  • esm/commands/build.js can spawn npx webpack-bundle-analyzer when ANALYZE is set.
  • esm/utils/cleanOutput.js removes configured output directory entries when output.clean is enabled.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build tooling.
  • cjs/index.js and esm/index.js only export build, serve, config/types helpers.
  • esm/utils/mkcert.js behavior is user-invoked dev HTTPS certificate setup, not install/import-time execution.
  • esm/config/readWebpackConfig.js requires the user's local webpack config for documented config loading.
  • Network/proxy code is dev-server functionality configured by the user; no credential harvesting or exfiltration found.
  • Native binding loader only selects platform optional @utoo/pack-* packages or local .node files.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 54 file(s), 229 KB of source, external domains: github.com

Source & flagged code

4 flagged · loading source
esm/utils/mkcert.jsView file
1import { execSync } from "node:child_process"; L2: import { createPrivateKey, X509Certificate } from "node:crypto";
High
Child Process

Package source references child process execution.

esm/utils/mkcert.jsView on unpkg · L1
esm/commands/build.jsView file
114stdio: "inherit", L115: shell: true, L116: });
High
Shell

Package source references shell execution.

esm/commands/build.jsView on unpkg · L114
112return new Promise((resolve, reject) => { L113: const analyzer = spawn("npx", ["webpack-bundle-analyzer", statsPath], { L114: stdio: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

esm/commands/build.jsView on unpkg · L112
esm/config/readWebpackConfig.jsView file
12.find(fs.existsSync); L13: const config = require(configFile || configPath); L14: if (typeof config === "function") {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

esm/config/readWebpackConfig.jsView on unpkg · L12

Findings

3 High4 Medium4 Low
HighChild Processesm/utils/mkcert.js
HighShellesm/commands/build.js
HighRuntime Package Installesm/commands/build.js
MediumDynamic Requireesm/config/readWebpackConfig.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings